US20070294535A1 - Authentication Device and Method - Google Patents

Authentication Device and Method Download PDF

Info

Publication number
US20070294535A1
US20070294535A1 US11/596,022 US59602205A US2007294535A1 US 20070294535 A1 US20070294535 A1 US 20070294535A1 US 59602205 A US59602205 A US 59602205A US 2007294535 A1 US2007294535 A1 US 2007294535A1
Authority
US
United States
Prior art keywords
data
header
area
authentication
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US11/596,022
Other versions
US8205075B2 (en
Inventor
Shiho Moriai
Muneki Shimada
Kyoji Shibutani
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sony Interactive Entertainment Inc
Sony Network Entertainment Platform Inc
Original Assignee
Sony Corp
Sony Computer Entertainment Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sony Corp, Sony Computer Entertainment Inc filed Critical Sony Corp
Assigned to SONY COMPUTER ENTERTAINMENT INC., SONY CORPORATION reassignment SONY COMPUTER ENTERTAINMENT INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SHIBUTANI, KYOJI, SHIMADA, MUNEKI, MORIAI, SHIHO
Publication of US20070294535A1 publication Critical patent/US20070294535A1/en
Assigned to SONY NETWORK ENTERTAINMENT PLATFORM INC. reassignment SONY NETWORK ENTERTAINMENT PLATFORM INC. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: SONY COMPUTER ENTERTAINMENT INC.
Assigned to SONY COMPUTER ENTERTAINMENT INC. reassignment SONY COMPUTER ENTERTAINMENT INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SONY NETWORK ENTERTAINMENT PLATFORM INC.
Application granted granted Critical
Publication of US8205075B2 publication Critical patent/US8205075B2/en
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Definitions

  • the present invention relates to an authentication technology.
  • Authentication is often performed on data to be communicated (the term “communicate” or “communication” in this specification includes, in addition to data exchange between different devices, data exchange between chips or other components within the same device, and data exchange between a recording medium and a device) in order to, for example, check validity of data, and prevent data alteration or spoofing.
  • data to be communicated has a data structure including a header area, a data area that contains digital information as a substantial object of the communication, and an authentication data area that contains authentication data used for authentication of the data area.
  • Authentication data contained in the authentication data area of this data structure is generated by performing a given algorithm operation on digital information contained in the data area.
  • the header area of this data structure contains information for identifying an algorithm used for creating authentication data or data needed to create the authentication data (in some cases, the algorithm itself). Information about data length and sequence number may also be contained if necessary.
  • a device which has received data having this data structure performs an algorithm operation on digital information contained in the data area by way of an algorithm that is identified from information contained in the header area of the received data.
  • the result of the operation is compared with authentication data contained in the authentication data area. When the two are found to be a match as a result of the comparison, the device judges that the received data is valid or complete, whereas the device judges that the received data is invalid or incomplete when the two do not match.
  • authentication fails if even one of the conditions (1) to (3) is not fulfilled and, when authentication fails, there is no way of specifying which one of (1) to (3) is the cause.
  • the cause of an authentication failure can be identified, for example, if it can be specified that the unfulfilment of (3) has caused an authentication failure, there is no need to obtain the data again and a reattempt at authentication can be processed efficiently. If the cause of an authentication failure cannot be identified, on the other hand, every processing step that is necessary for authentication has to be performed all over again for a reattempt at authentication.
  • An object of the present invention is to provide a technique for making it possible to identify the cause of an authentication failure.
  • the present invention provides two embodiments.
  • the first embodiment provides a data structure of data to be communicated in a communication, including: a data area for containing digital information that is a substantial object of the communication; a header area attached to the data area at a head of the data to be communicated; a header authentication data area for containing header authentication data used for authentication of the header area; and an authentication data area for containing authentication data used for authentication of the data area and the header authentication data area, in which the header area contains a second algorithm information that is information for identifying an algorithm for a given algorithm operation that is performed to authenticate the data area using the authentication data.
  • the second embodiment provides a data structure of data to be communicated in a communication, including: a data area for containing digital information that is a substantial object of the communication; a header area attached to the data area at a head of the data to be communicated; a header authentication data area for containing header authentication data used for authentication of the header area; and an authentication data area for containing authentication data used for authentication of the data area, in which the header area contains a second algorithm information that is information for identifying an algorithm for a given algorithm operation that is performed to authenticate the data area using the authentication data.
  • the first embodiment and the second embodiment each have a header authentication data area for containing header authentication data.
  • Header authentication data is for authentication of a header area.
  • the first embodiment and the second embodiment each have an authentication data area for containing authentication data.
  • Authentication data in the first embodiment is for authentication of a data area and of a header authentication data area.
  • Authentication data in the second embodiment is for authentication of a data area.
  • a device can perform authentication of the header area separately from authentication of the data area and of the header authentication data area.
  • a device can perform authentication of the header area separately from authentication of the data area.
  • a device that receives data with such the data structure can therefore specify whether an alteration or the like is made to the header area or other areas than the header area when authentication of the data fails.
  • the cause of an authentication failure can be identified. This contributes to raise the efficiency in, for example, retrying authentication processing.
  • the second algorithm information in the first embodiment and the second embodiment may be information for identifying a second algorithm (e.g., a code specifying a calculation method that is defined by a unified standard), or may be a second algorithm itself.
  • a second algorithm e.g., a code specifying a calculation method that is defined by a unified standard
  • Data with the data structure according to the first embodiment or the second embodiment has a header area, a data area, a header authentication data area, and an authentication data area in sequence.
  • the sequence is headed by the header area.
  • the data area, the header authentication data area, and the authentication data area follow the header area in an arbitrary order.
  • the header authentication data area may be positioned immediately after the header area, for example. This is convenient since a device receiving data with the data structure of the first embodiment or the second embodiment can perform authentication on the header area as soon as the header area and the header authentication data area are received. For instance, when the authentication of the header area fails, the device can stop obtaining the subsequent areas of the data. This makes it possible to avoid loading data from the data area when an invalid code such as a virus is contained within the data area, and thereby prevent the invalid code from infiltrating the device performing authentication.
  • the header area of data with the data structure according to the first embodiment or the second embodiment may record information about the data length of the data area. This enables a device receiving the data to know where the data area starts and ends in performing authentication on the data area.
  • the header area of data with a data structure according to the first embodiment or the second embodiment may contain at least one of information about the data length of the header area, information about the data length of the header authentication data area, and information about the data length of the authentication data area. Data indicating a break point between different kinds of data may be buried at the heads or tails of the header area, the header authentication data area, the data area, and the authentication data area, so that a device receiving the data can know where the data area starts and ends in performing authentication on the data area.
  • the header area of data with the data structure according to the first embodiment or the second embodiment may contain a first algorithm information, which is information for specifying what algorithm is employed in a given algorithm operation when authentication using the header authentication data is performed on the header area.
  • a first algorithm used in a device that performs authentication is determined in advance, there is no need to bury information for identifying the first algorithm in the header area.
  • the first algorithm information in the first embodiment and the second invention if it is needed to be contained in the header area, may be information for identifying the first algorithm (e.g., a code specifying a calculation method that is defined by a unified standard), or may be the first algorithm itself.
  • Data with the data structure according to the first embodiment and data with the data structure according to the second embodiment can be created by, for example, devices described below.
  • the data with the data structure according to the first embodiment can be created using a data processing device for processing data that has a data area for containing digital information as a substantial object of a communication, including: means for creating data of a header area attached to the data area at a head of the data to be communicated; means for creating data of a header authentication data area based on data that is contained in the header area and a first algorithm with which a given algorithm operation is performed on this data, the header authentication data area data being used for authentication of the header area; means for creating authentication data used for authentication of the data area and the header authentication data area, based on data that is contained in the data area and the header authentication data area and a second algorithm with which a given algorithm operation is performed on this data; and integrating means for integrating the digital information, the header area data, the header authentication data, and the authentication data to constitute the data area, the header area, the header authentication data area, and the authentication data area, respectively, with the header area placed at a head of the integrated data, in which the means for creating data of the header
  • the data with the data structure according to the second embodiment can be created using a data processing device for processing data that has a data area for containing digital information as a substantial object of a communication, including: means for creating data of a header area attached to the data area at a head of the data to be communicated; means for creating data of a header authentication data area based on data that is contained in the header area and a first algorithm with which a given algorithm operation is performed on this data, the header authentication data area data being used for authentication of the header area; means for creating authentication data used for authentication of the data area, based on data that is contained in the data area and a second algorithm with which a given algorithm operation is performed on this data; and integrating means for integrating the digital information, the header area data, the header authentication data, and the authentication data to constitute the data area, the header area, the header authentication data area, and the authentication data area, respectively, with the header area placed at a head of the integrated data, in which the means for creating data of the header area makes the header area data contain a second algorithm information
  • the integrating means in these data processing devices may place the header authentication data area right behind the header area.
  • Data created by such data processing devices has a data structure in which the header authentication data area immediately follows the header area.
  • the means for creating header area data in the data processing devices may create data of specific size for the header area.
  • the means for creating header area data in the data processing devices may record information about the data length of the data area in data of the header area. This means may make the header area contain at least one of information about the data length of the header area, information about the data length of the header authentication data area, and information about the data length of the authentication data area.
  • the means for creating the header area, the means for creating the header authentication data area, the means for creating the data area, and the means for creating the authentication data area in the data processing devices may each bury data that indicates a break point between different kinds of data at the head or tail of data it creates.
  • the means for creating header area data may make the header area contain a first algorithm information, which is information for specifying what algorithm is used in a given algorithm operation when authentication using the header authentication data is performed on the header area.
  • Data with a data structure according to the first embodiment and data with a data structure according to the second embodiment can be created by, for example, methods described below.
  • the data with the data structure according to the first embodiment can be created using a data processing method executed in a data processing device for processing data that has a data area for containing digital information as a substantial object of a communication, including the steps of: creating, by the data processing device, data of a header area attached to the data area at a head of the data to be communicated; creating, by the data processing device, data of a header authentication data area based on data that is contained in the header area and a first algorithm with which a given algorithm operation is performed on this data, the header authentication data area data being used for authentication of the header area; creating, by the data processing device, authentication data used for authentication of the data area and the header authentication data area, based on data that is contained in the data area and the header authentication data area and a second algorithm with which a given algorithm operation is performed on this data; and integrating, by the data processing device, the digital information, the header area data, the header authentication data, and the authentication data to constitute the data area, the header area, the header authentication data area, and the authentication data
  • the data with the data structure according to the second embodiment can be created using a data processing method executed in a data processing device for processing data that has a data area for containing digital information as a substantial object of a communication, including the steps of: creating, by the data processing device, data of a header area attached to the data area at a head of the data to be communicated; creating, by the data processing device, data of a header authentication data area based on data that is contained in the header area and a first algorithm with which a given algorithm operation is performed on this data, the header authentication data area data being used for authentication of the header area; creating, by the data processing device, authentication data used for authentication of the data area, based on data that is contained in the data area and a second algorithm with which a given algorithm operation is performed on this data; and integrating, by the data processing device, the digital information, the header area data, the header authentication data, and the authentication data to constitute the data area, the header area, the header authentication data area, and the authentication data area, respectively, with the header area placed at a
  • the above-mentioned devices which create the data with the data structure according to the first embodiment and the data with the data structure according to the second embodiment may be dedicated devices.
  • general-purpose computers can serve as these devices when, for example, computer programs described below are employed.
  • the above-mentioned device for creating the data with the data structure according to the first embodiment can be manufactured using the following computer program. That is, there is provided a computer program for causing a computer to function as a data processing device for processing data that has a data area for containing digital information as a substantial object of a communication, in which the computer is caused to function as: means for creating data of a header area attached to the data area at a head of the data to be communicated; means for creating data of a header authentication data area based on data that is contained in the header area and a first algorithm with which a given algorithm operation is performed on this data, the header authentication data area data being used for authentication of the header area; means for creating authentication data used for authentication of the data area and the header authentication data area, based on data that is contained in the data area and the header authentication data area and a second algorithm with which a given algorithm operation is performed on this data; and integrating means for integrating the digital information, the header area data, the header authentication data, and the authentication data to constitute the data area,
  • the above-mentioned device for creating the data with the data structure according to the second embodiment can be manufactured using the following computer program. That is, there is provided a computer program for causing a computer to function as a data processing device for processing data that has a data area for containing digital information as a substantial object of a communication, in which the computer is caused to function as: means for creating data of a header area attached to the data area at a head of the data to be communicated; means for creating data of a header authentication data area based on data that is contained in the header area and a first algorithm with which a given algorithm operation is performed on this data, the header authentication data area data being used for authentication of the header area; means for creating authentication data used for authentication of the data area, based on data that is contained in the data area and a second algorithm with which a given algorithm operation is performed on this data; and integrating means for integrating the digital information, the header area data, the header authentication data, and the authentication data to constitute the data area, the header area, the header authentication data area, and the
  • the above computer programs may be recorded in recording media.
  • the data with the data structure according to the first embodiment and the data with the data structure according to the second embodiment can be authenticated by, for example, devices described below.
  • the device for authenticating the data with the data structure according to the first embodiment is an authentication device that receives data having the data structure of the first embodiment and performs authentication on the data, including: a header authentication means for performing an algorithm operation on the header area with the use of a first algorithm, which is employed in the algorithm operation in creating the header area, and judging whether a result of the algorithm operation matches the header authentication data or not; and an authentication means for performing an algorithm operation on the data area and the header authentication data area with the use of a second algorithm that is identified from the second algorithm information contained in the header area, and judging whether a result of the algorithm operation matches the authentication data or not.
  • the device for authenticating the data with the data structure according to the second embodiment is an authentication device that receives data having the data structure of the second embodiment and performs authentication on the data, including: a header authentication means for performing an algorithm operation on the header area with the use of a first algorithm, which is employed in the algorithm operation in creating the header area, and judging whether a result of the algorithm operation matches the header authentication data or not; and an authentication means for performing an algorithm operation on the data area with the use of a second algorithm that is identified from the second algorithm information contained in the header area, and judging whether a result of the algorithm operation matches the authentication data or not.
  • the authentication means in the authentication devices may not carry out the algorithm operation when the header authentication device judges that a result of the algorithm operation performed on the header area using the first algorithm does not match the header authentication data.
  • the header authentication means may start the algorithm operation as soon as the header area and the header authentication data area are received in the case where data with the data structure according to the first embodiment or the second embodiment has the header authentication data area right behind the header area.
  • the authentication devices may further include means for performing processing of discontinuing reception of data after the header authentication means judges that a result of the algorithm operation performed on the data by the header authentication means does not match the header authentication data. This means is expected to prevent troubles caused by receiving the entirety of data that is suspected of being altered, for example, troubles that a virus or other invalid codes contained in the data area may cause.
  • the data with the data structure according to the first embodiment and the data with the data structure according to the second embodiment can be authenticated by, for example, methods described below.
  • the method of authenticating the data with the data structure according to the first embodiment is an authentication method executed in an authentication device that receives data having the data structure of the first embodiment and performs authentication on the data, including the steps of: performing, by the authentication device, an algorithm operation on the header area with the use of a first algorithm, which is employed in the algorithm operation in creating the header area, and judging whether a result of the algorithm operation matches the header authentication data or not; and performing, by the authentication device, an algorithm operation on the data area and the header authentication data area with the use of a second algorithm that is identified from a second algorithm information contained in the header area, and judging whether a result of the algorithm operation matches the authentication data or not.
  • the method of authenticating the data with the data structure according to the second embodiment is an authentication method executed in an authentication device that receives data having the data structure of the second embodiment and performs authentication on the data, including the steps of: performing, by the authentication device, an algorithm operation on the header area with the use of a first algorithm, which is employed in the algorithm operation in creating the header area, and judging whether a result of the algorithm operation matches the header authentication data or not; and performing, by the authentication device, an algorithm operation on the data area with the use of a second algorithm that is identified from a second algorithm information contained in the header area, and judging whether a result of the algorithm operation matches the authentication data or not.
  • the above-mentioned devices which authenticate data with a data structure according to the first embodiment and data with a data structure according to the second embodiment may be dedicated devices.
  • general-purpose computers can serve as these devices when, for example, computer programs described below are employed.
  • the above-mentioned device for creating the data with the data structure according to the first embodiment can be manufactured using the following computer program. That is, there is provided a computer program for causing a given computer to function as an authentication device that receives data having a data structure of the first embodiment and performs authentication on the data, in which the computer is caused to function as: a header authentication means for performing an algorithm operation on the header area with the use of a first algorithm, which is employed in the algorithm operation in creating the header area, and judging whether a result of the algorithm operation matches the header authentication data or not; and an authentication means for performing an algorithm operation on the data area and the header authentication data area with the use of a second algorithm that is identified from the second algorithm information contained in the header area, and judging whether a result of the algorithm operation matches the authentication data or not.
  • the above-mentioned device for creating the data with the data structure according to the second embodiment can be manufactured using the following computer program. That is, there is provided a computer program for causing a given computer to function as an authentication device that receives data having the data structure of the second embodiment and performs authentication on the data, in which the computer is caused to function as: a header authentication means for performing an algorithm operation on the header area with the use of a first algorithm, which is employed in the algorithm operation in creating the header area, and judging whether a result of the algorithm operation matches the header authentication data or not; and an authentication means for performing an algorithm operation on the data area with the use of a second algorithm that is identified from the second algorithm information contained in the header area, and judging whether a result of the algorithm operation matches the authentication data or not.
  • the above computer programs may be recorded in recording media.
  • FIG. 1 is a schematic diagram showing an overall configuration of a communication system according to a first embodiment.
  • FIG. 2 is a schematic diagram showing a hardware configuration of a terminal shown in FIG. 1 .
  • FIG. 3 is a block diagram showing function blocks formed inside the terminal shown in FIG. 1 .
  • FIG. 4 is a conceptual diagram showing contents of data recorded in an algorithm holding portion shown in FIG. 3 .
  • FIG. 5 is a function block diagram showing an interior of a data creating portion shown in FIG. 3 .
  • FIG. 6 is a function block diagram showing an interior of a data authentication portion shown in FIG. 3 .
  • FIG. 7 is a flow chart showing a processing flow of data creating processing, which is executed by the data creating portion of the terminal shown in FIG. 1 .
  • FIGS. 8A to 8 C are conceptual diagrams showing an example of a header authentication data creating method.
  • FIG. 9 is a conceptual diagram showing a data structure of data created by the terminal.
  • FIG. 10 is a flow chart showing the processing flow of data authentication processing, which is executed by the data authentication portion of the terminal shown in FIG. 1 .
  • Described in the first embodiment is a communication system that is shown in FIG. 1 as terminals 1 connected to one another by a network N.
  • the terminals 1 are capable of exchanging e-mail and the network N is, for example, the Internet.
  • the terminals 1 correspond to both a data processing device and an authentication device of the present invention. E-mail exchanged between the terminals 1 corresponds to data with a data structure according to the present invention. Each of the terminals 1 can create data about a piece of e-mail and can authenticate the received data.
  • the terminals 1 have basically the same configuration.
  • Each terminal 1 has a general-purpose computer machine body 11 such as a common personal computer.
  • the computer machine body 11 is connected to an input device 12 , which is composed of a keyboard, a mouse and the like, and a display device 13 for displaying images.
  • the terminal 1 also has a disk drive 14 for reading given data or a computer program out of a recording medium M, which is, for example, a CD-ROM.
  • the recording medium M shown in FIG. 1 records a computer program according to the present invention.
  • the computer machine body 1 reads the computer program recorded in the recording medium M out of the recording medium M loaded into the disk drive 14 .
  • the computer program gives the computer machine body 11 functions of both the data processing device and data authentication device of the present invention.
  • the computer program may give the computer machine body 11 functions of both the data processing device and data authentication device of the present invention, alone or in cooperation with an OS installed in the computer, another computer program, or data.
  • the computer machine body 11 contains, as shown in FIG. 2 , a CPU (Central Processing Unit) 21 , a ROM (Read Only Memory) 22 , a RAM (Random Access Memory) 23 , an interface 24 , and a bus 25 which connects these components to one another.
  • a CPU Central Processing Unit
  • ROM Read Only Memory
  • RAM Random Access Memory
  • the CPU 21 executes given processing by executing a given computer program.
  • the ROM 22 is a recording medium that stores a computer program for operating the CPU 21 , data necessary for controlling the display device 13 , and the like.
  • the RAM 23 provides a work area for the CPU 21 to process data.
  • the interface 24 functions as a port through which data is exchanged with the external. Through the interface 24 , an input is made from the input device 12 and the disk drive 14 and an output of image data is made to the display device 13 .
  • the computer machine body 11 communicates with another terminal 1 through the interface 24 and the network N.
  • the CPU 21 incorporated in the terminal 1 of the present invention forms the following function blocks by executing the above-mentioned computer program.
  • the function blocks formed include, as shown in FIG. 3 , an input/output management portion 31 , a control portion 32 and a data obtaining portion 33 .
  • the terminal 1 in this embodiment has a function of creating e-mail, but a description on this function will be omitted.
  • the input/output management portion 31 controls communications between the terminals 1 over the network N, and has a function of sending data to another terminal 1 or receiving data from another terminal 1 .
  • the control portion 32 has a function of executing data creating processing and data authentication processing which will be described later.
  • the data obtaining portion 33 obtains, when the control portion 32 executes data creating processing, digital information that is a substantial object of the transmission from another component of the terminal 1 .
  • the data obtaining portion 33 sends the digital information as a substantial object of the transmission to the control portion 32 , more specifically, to a data creating portion 321 .
  • the control portion 32 has the data creating portion 321 , a data authentication portion 322 and an algorithm holding portion 323 .
  • the data creating portion 321 has a function of creating transmission data by executing data creating processing, which will be described later, using digital information that is sent from the data obtaining portion 33 .
  • the data authentication portion 322 performs data authentication processing, which will be described later, on data that is received by the input/output management portion 31 from another terminal 1 .
  • the algorithm holding portion 323 records information about an algorithm used by the data creating portion 321 or the data authentication portion 322 when the data creating processing or the data authentication processing is executed.
  • Plural algorithms are recorded in the algorithm holding portion 323 in a state shown in FIG. 4 .
  • Algorithm 1 , Algorithm 2 , Algorithm 3 . . . represent the recorded algorithms.
  • Identifier codes are also recorded in the algorithm holding portion 323 in a state shown in FIG. 4 .
  • Identifier Code 1 , Identifier Code 2 , Identifier Code 3 . . . represent the recorded identifier codes.
  • An identifier code is associated with an algorithm denoted by the same number, so that once the identifier code is identified, the algorithm denoted by the same number as the identifier code is identified. The data size of an identifier code is much smaller than that of an algorithm.
  • the data creating portion 321 is as shown in FIG. 5 .
  • the data creating portion 321 has a header creating portion 321 A, a header authentication data creating portion 321 B, an authentication data creating portion 321 C, and a data integrating portion 321 D.
  • the header creating portion 321 A creates, when transmitting digital information that is received by the data creating portion 321 from the data obtaining portion 33 , data about a header attached to a data area, which is an area containing the digital information to be transmitted.
  • Header area data contains information about the sender terminal 1 , the address of the receiver terminal 1 , an identifier code as the one described above, and the like, which will be described later.
  • the data about the header later constitutes a header area.
  • the header authentication data creating portion 321 B has a function of creating header authentication data, which is needed when the terminal 1 receiving the created data executes header area authentication processing.
  • the header authentication data later constitutes a header authentication data area.
  • the authentication data creating portion 321 C creates authentication data, which is needed when the terminal 1 receiving the created data executes authentication processing of the header authentication data area and the data area.
  • the authentication data later constitutes an authentication data area.
  • the data integrating portion 321 D combines digital information received from the data obtaining portion 33 with header data created by the header creating portion 321 A, header authentication data created by the header authentication data creating portion 321 B, and authentication data created by the authentication data creating portion 321 C, to thereby make them into a sequence of data.
  • the digital information constitutes the data area
  • the header data constitutes the header area
  • the header authentication data constitutes the header authentication data area
  • the authentication data constitutes the authentication data area.
  • the thus created data is transferred to the input/output management portion 31 to be sent to another terminal 1 that is indicated by the address written in the header area.
  • the data authentication portion 322 is as shown in FIG. 6 .
  • the data authentication portion 322 has a header authentication portion 322 A, an authentication portion 322 B, a cancellation processing portion 322 C and a temporary storage portion 322 D.
  • the temporary storage portion 322 D has a function of receiving, from the input/output management portion 31 , data that is sent from another terminal 1 to be authenticated and temporarily storing the received data.
  • the header authentication portion 322 A has a function of authenticating validity of the header area.
  • the header authentication portion 322 A reads header data area and header authentication data area data among data recorded in the temporary storage portion 322 D, and performs the authentication.
  • the authentication portion 322 B has a function of authenticating the validity of the data area and the header authentication data area.
  • the authentication portion 322 B reads header area data, header authentication data area data, data area data, and authentication data area data among data recorded in the temporary storage portion 322 D, and performs the authentication.
  • the cancellation processing portion 322 C has a function of deciding to perform processing of discontinuing reception of data after the header authentication portion 322 A judges that the data contains an invalid header area.
  • the cancellation processing portion 322 C decides to carry out the processing, information about the decision is sent to the input/output management portion 31 .
  • the input/output management portion 31 discontinues the reception of the data that has the invalid header area if the reception of the data is still in progress.
  • the terminals 1 exchange e-mail with one another in this communication system.
  • the terminal 1 that sends e-mail creates e-mail data (data creating processing), and the terminal 1 that receives e-mail performs authentication on the e-mail data (data authentication processing).
  • FIG. 7 shows a flow of processing executed by the data creating portion 321 in the data creating processing.
  • the data creating processing is performed upon transmission of e-mail in this embodiment.
  • the data creating portion 321 obtains the digital information from the data obtaining portion 33 , which has obtained the digital information as the substantial object of the transmission (S 401 ).
  • the digital information equals the data area.
  • the header creating portion 321 A creates the header data (S 402 ).
  • the header data later constituting the header area contains information about the sender terminal 1 and the address of the receiver terminal 1 .
  • the header data also contains information about the length of the authentication data and an identifier code associated with an algorithm that is used in authentication data creation, which will be described later.
  • the header creating portion 321 A selects, from algorithms recorded in the algorithm holding portion 323 , an algorithm that is used in creating the header authentication data and an algorithm that is used in creating the authentication data, and buries in the header area an identifier code associated with the algorithm that is used in creating the authentication data.
  • Identifier Code 2 is contained, in this embodiment, in respective header data as the identifier code associated with the algorithm that is used in creating the authentication data.
  • Algorithm 1 is always used in creating the header authentication data. This information is shared among the terminals 1 .
  • the header creating portion 321 A sends, to the header authentication data creating portion 321 B, information about which algorithm should be used in creating the header authentication data and sends, to the authentication data creating portion 321 C, information about which algorithm is used in creating the authentication data.
  • every header area (header data) created has a predetermined size. Information about the header area size is shared among the terminals 1 in this embodiment.
  • the header creating portion 321 A sends the created header area data to the header authentication data creating portion 321 B and to the data integrating portion 321 D.
  • the header authentication data creating portion 321 B creates the header authentication data (S 403 ).
  • the header authentication data creating portion 321 B receives, prior to creating the header authentication data, from the header creating portion 321 A, information about which algorithm should be used in creating the header authentication data and the created header data. Based on the received information and header data, the header authentication data creating portion 321 B creates the header authentication data.
  • the header authentication data creating portion 321 C reads, out of the algorithm holding portion 323 , an algorithm that is specified by the received identifier code (Algorithm 1 in this embodiment), and performs an algorithm operation on the received header area using the read algorithm.
  • the header authentication data is created as a result of the algorithm operation.
  • the created header authentication data is sent to the authentication data creating portion 321 C and to the data integrating portion 321 D.
  • the algorithm operation can be any operation specified by an algorithm.
  • Known methods such as CBC-MAC (Cipher Block Chaining-Message Authentication Code) may be employed, and a new calculation method may also be employed.
  • the algorithm operation is performed as shown in FIGS. 8A to 8 C.
  • header data shown in FIG. 8A is equally divided into n parts as shown in FIG. 8B .
  • a specific calculation (denoted by “E” in the drawing; usually block encryption such as DES and AES is used) is performed on the divided data, starting from the front of the header data, and the result of the specific calculation is added (denoted by “+” in the drawing) to the next part of the divided data before performing the specific calculation again and adding the result of the specific calculation to the subsequent part of the divided data. This is repeated until the n-th part of the data.
  • the final result is header authentication data.
  • the authentication data creating portion 321 C creates authentication data (S 404 ).
  • the authentication data creating portion 321 C Prior to creating authentication data, the authentication data creating portion 321 C receives from the header creating portion 321 A information about which algorithm should be used in creating authentication data. The authentication data creating portion 321 C also receives in advance the created header authentication data from the header authentication data creating portion 321 B and the digital information constituting the data area from the data obtaining portion 33 .
  • the authentication data creating portion 321 C creates the authentication data area.
  • the authentication data creating portion 321 C reads, out of the algorithm holding portion 323 , an algorithm that is specified by the received identifier code (Algorithm 2 in this embodiment), and uses the read algorithm in performing an algorithm operation on a combination of the received header authentication data and digital information. Authentication data is created as a result of the algorithm operation.
  • the algorithm operation can be any operation specified by an algorithm as in the above case.
  • the created authentication data is sent to the data integrating portion 321 D.
  • the data integrating portion 321 D integrates the data (S 405 ).
  • the data integrating portion 321 D receives in advance the digital information from the data obtaining portion 33 , the header data from the header creating portion 321 A, the header authentication data from the header authentication data creating portion 321 B, and authentication data from the authentication data creating portion 321 C.
  • the data integrating portion 321 D integrates the received data into a sequence of data to be communication data.
  • the digital information constitutes the data area
  • the header data constitutes the header area
  • the header authentication data constitutes the header authentication data area
  • the authentication data constitutes the authentication data area.
  • This transmission data is as shown in FIG. 9 , and has a header area D 1 at the head, and subsequently a header authentication data area D 2 , a data area D 3 and an authentication data area D 4 in the order stated.
  • This data is transferred to the input/output management portion 31 to be sent to another terminal 1 via the network N.
  • FIG. 10 shows the flow of processing executed by the data authentication portion 322 as the data authentication processing.
  • the data authentication processing is executed upon e-mail reception in this embodiment.
  • e-mail received here is the data described in the [Data Creating Processing] section.
  • the data started to be received is temporarily stored in the temporary storage portion 322 D.
  • the data is received sequentially from the left hand side of the data structure shown in FIG. 9 and recorded in the temporary storage portion 322 D sequentially from the left hand side of the data structure shown in FIG. 9 .
  • header authentication portion 322 A performs header authentication.
  • Header authentication may be carried out after the entirety of data is received. In this embodiment, however, header authentication is started before the reception of the data is completed, more specifically, as soon as the header area D 1 and the header authentication data area D 2 are received (and recorded in the temporary storage portion 322 D).
  • the header authentication portion 322 A of this embodiment therefore monitors for whether or not the header area D 1 and the header authentication data area D 2 have been received, in other words, whether or not the recording of the header area D 1 and the header authentication data area D 2 in the temporary storage portion 322 D has been completed (S 502 ).
  • the header authentication portion 322 A starts header authentication (S 503 ). In the case where the recording of the header authentication data area D 2 in the temporary storage portion 322 D has not been completed (S 502 : NO), the header authentication portion 322 A continues the monitoring described above.
  • Header authentication is performed as follows.
  • the header authentication portion 322 A reads out of the algorithm holding portion 323 Algorithm 1 as an algorithm used in authentication of the header area.
  • the terminals 1 which share information that Algorithm 1 should be used as an algorithm for creating header authentication data as mentioned above, also share information that Algorithm 1 should be used in header authentication performed on the header area.
  • the header authentication portion 322 A also reads the header area D 1 and the header authentication data area D 2 out of the temporary storage portion 322 D.
  • the header authentication portion 322 A Upon completion of the reading, the header authentication portion 322 A performs an operation specified by Algorithm 1 on the header area.
  • the algorithm operation is performed the same way as in the header authentication data creation described in the [Data Creating Processing] section. In the case where the header area D 1 has not been altered and no data is missing, the result of the algorithm operation performed on the header area matches the header authentication data.
  • the header authentication portion 322 A judges whether the header area D 1 is valid or not from whether or not the two are a match (S 504 ).
  • the header authentication portion 322 A informs the cancellation processing portion 322 C of the fact. Informed of the fact, the cancellation processing portion 322 C performs cancellation processing (S 505 ).
  • the cancellation processing is for discontinuing reception of data containing the header area D 1 that is authenticated unsuccessfully in header authentication.
  • the cancellation processing portion 322 C informs the input/output management portion 31 of the fact that the cancellation processing is executed.
  • the input/output management portion 31 discontinues the reception of the data at this point if the reception of the data is still in progress.
  • the header area D 1 is invalid, there is a high risk that an invalid code is contained in the data area D 3 . Discontinuing reception of data in this manner increases the chance of avoiding troubles that result from receiving invalid codes.
  • the header authentication portion 322 A judges that the header area D 1 is invalid (S 504 : NO)
  • this information is sent also to the authentication portion 322 B.
  • the authentication portion 322 B understands that the authentication failure is due to unsuccessful authentication of the header area D 1 (S 506 ).
  • the header authentication portion 322 A informs the authentication portion 322 B of the fact.
  • the authentication portion 322 B starts the authentication when reception of the entire data is completed, in other words, after the authentication data area D 4 is received (and recorded in the temporary storage portion 322 D).
  • the authentication portion 322 B of this embodiment therefore monitors for whether reception of the entirety of data has been completed or not, in other words, whether or not the authentication data area D 4 has finished being recorded in the temporary storage portion 322 D (S 507 ).
  • the authentication portion 322 B starts header authentication (S 508 ). In the case where the recording of the authentication data area D 4 in the temporary storage portion 322 D has not been completed (S 507 : NO), the authentication portion 322 B continues the monitoring described above.
  • the authentication portion 322 B Prior to performing the authentication, the authentication portion 322 B reads the header authentication data area D 2 , the data area D 3 and the authentication data area D 4 out of the temporary storage portion 322 D. The authentication portion 322 B also reads out of the header area D 1 an identifier code as information for specifying which algorithm the authentication portion 322 B is used to perform the authentication. The read identifier code is associated with Algorithm 2 as mentioned above.
  • the authentication portion 322 B Upon completion of the reading, the authentication portion 322 B performs an operation specified by Algorithm 2 , which is associated with the identifier code, on the header authentication data area D 2 and the data area D 3 .
  • Algorithm 2 which is associated with the identifier code
  • an algorithm associated with the identifier code is read out of the algorithm holding portion 323 .
  • the algorithm operation is performed the same way as in the authentication data creation described in the [Data Creating Processing] section. In the case where the header authentication data area D 2 and the data area D 3 have not been altered and no data is missing, the result of the algorithm operation matches the authentication data.
  • the authentication portion 322 B judges whether the header authentication data area D 2 and the data area D 3 are valid or not from whether or not the result matches the authentication data (S 509 ).
  • the authentication portion 322 B grasps that the authentication failure is due to the fact that the header authentication data area D 2 or the data area D 3 is invalid (S 506 ).
  • the authentication portion 322 B determines that the authentication of the data is a complete success (S 510 ).
  • the data authentication processing is thus ended.
  • the authentication portion 322 B grasps the cause of an authentication failure as described above. This can be utilized in performing the data authentication processing again, and is also effective as data for statistically examining authentication failure patterns.
  • the terminal 1 in this embodiment has functions of both the data processing device and authentication device of the present invention.
  • the terminal 1 may have only one of the data processing device function and the authentication device function.
  • the terminal 1 that functions only as the data processing device does not have the data authentication portion 322 out of the function blocks of the above terminal 1 whereas the terminal 1 that functions only as the authentication device does not have the data creating portion 321 out of the function blocks of the above terminal 1 .
  • the terminals 1 according to a second embodiment are substantially the same as the terminals 1 in the first embodiment.
  • the terminals 1 can exchange e-mail with one another and are connected to one another via the network N, which is, for example, the Internet, to constitute the communication system shown in FIG. 1 .
  • the terminals 1 according to the second embodiment correspond to both the data processing device and authentication device of the present invention.
  • E-mail exchanged between the terminals 1 corresponds to data with a data structure according to the present invention.
  • Each of the terminals 1 can create data about a piece of e-mail and can authenticate the data received.
  • Each terminal 1 has the same configuration as in the first embodiment.
  • the terminal 1 of the second embodiment has the hardware configuration shown in FIG. 2 as does the terminal 1 of the first embodiment.
  • the terminal 1 of the second embodiment obtains the functions of both the data processing device and authentication device of the present invention by reading a computer program out of the given recording medium M.
  • the CPU 21 contained in the terminal 1 of the second embodiment forms the same function blocks as those in the first embodiment.
  • the function blocks formed in the second embodiment are as shown in FIG. 3 as in the first embodiment.
  • the authentication data creating portion 321 C that is formed in the terminal 1 of the second embodiment creates authentication data based on digital information, unlike the case of the first embodiment.
  • the authentication data creating portion 321 C in the terminal 1 of the second embodiment reads, prior to creating authentication data, out of the header creating portion 321 A, which algorithm should be used in creating authentication data.
  • the authentication data creating portion 321 C also receives in advance digital information constituting the data area from the data obtaining portion 33 . Based on the received information, the authentication data creating portion 321 C creates authentication data.
  • the authentication data creating portion 321 C reads out of the algorithm holding portion 323 an algorithm that is specified by the received identifier code, and performs an algorithm operation on the data area received in advance by using the read algorithm. Authentication data is created as a result of the algorithm operation.
  • the authentication portion 322 B in the second embodiment performs authentication on the data area out of the areas of the received data, instead of the header authentication data area and the data area as in the first embodiment.
  • the authentication portion 322 B in the second embodiment reads out of the header area an identifier code as information for specifying which algorithm the authentication portion 322 B uses to perform authentication on the data area D 3 .
  • the authentication portion 322 B also reads the data area D 3 and the authentication data area D 4 out of the temporary storage portion 322 D.
  • the authentication portion 322 B Upon completion of the reading, the authentication portion 322 B performs an operation specified by the algorithm that is associated with the identifier code. For this algorithm operation, an algorithm associated with the identifier code is read out of the algorithm holding portion 323 . In the case where the data area D 3 has not been altered and no data is missing, the result of the algorithm operation matches the authentication data.
  • the authentication portion 322 B judges whether the data area D 3 is valid or not from whether or not the result matches the authentication data.
  • the overall processing flow of data creating processing and data authentication processing executed in the terminal 1 of the second embodiment is the same as in the first embodiment.
  • the terminals 1 according to a third embodiment are substantially the same as the terminals 1 in the first embodiment.
  • the terminals 1 can exchange e-mail with one another and are connected to one another via the network N, which is, for example, the Internet, to constitute the communication system shown in FIG. 1 .
  • the terminals 1 according to the third embodiment correspond to both the data processing device and authentication device of the present invention.
  • E-mail exchanged between the terminals 1 corresponds to data with a data structure according to the present invention.
  • Each of the terminals 1 can create data about a piece of e-mail and can authenticate the data received.
  • Each terminal 1 has the same configuration as in the first embodiment.
  • the terminal 1 of the third embodiment has the hardware configuration shown in FIG. 2 as does the terminal 1 of the first embodiment.
  • the terminal 1 of the third embodiment obtains the functions of both the data processing device and authentication device of the present invention by reading a computer program out of the given recording medium M.
  • the CPU 21 contained in the terminal 1 of the third embodiment forms the same function blocks as those in the first embodiment.
  • the function blocks formed in the third embodiment are as shown in FIG. 3 as in the first embodiment.
  • the third embodiment differs from the first embodiment in that the terminals 1 in the third embodiment do not share information about which algorithm should be used as an algorithm for creating header authentication data and information about which algorithm should be used in header authentication performed on the header area.
  • This difference gives the header creating portion 321 A and header authentication portion 322 A of the terminal 1 in the third embodiment functions that are different from those of the terminal 1 in the first embodiment.
  • the header creating portion 321 A formed in the terminal 1 of the third embodiment makes header area data contain, in addition to the aforementioned information, an identifier code for specifying which algorithm is used in creating header authentication data.
  • the header authentication portion 322 A formed in the terminal 1 of the third embodiment reads, in performing header authentication, out of the header area data, the identifier code for specifying which algorithm is used in performing authentication of the header area.
  • the header authentication portion 322 A also reads out of the algorithm holding portion 323 an algorithm that is identified by the read identifier code, and performs an operation specified by the algorithm on the header area data.
  • the overall processing flow of data creating processing and data authentication processing executed in the terminal 1 of the third embodiment is the same as in the first embodiment.

Abstract

Provided is an authentication system capable of identifying a cause of a failure when authentication fails. A data structure of data to be authenticated has a header authentication data area (D2), and an authentication data area (D4) in addition to a header area (D1) and a data area (D3). The header authentication data area (D2) authenticates validity of the header area (D1), and the authentication data area (D4) authenticates the validity of the header authentication header area (D2) and the data area (D3). Since two kinds of authentication are carried out, the cause of the failure in authentication can be identified easily when authentication is failed.

Description

    TECHNICAL FIELD
  • The present invention relates to an authentication technology.
    • BACKGROUND OF THE INVENTION
  • Authentication is often performed on data to be communicated (the term “communicate” or “communication” in this specification includes, in addition to data exchange between different devices, data exchange between chips or other components within the same device, and data exchange between a recording medium and a device) in order to, for example, check validity of data, and prevent data alteration or spoofing.
  • A common way to perform authentication is as follows.
  • That is, when authentication is necessary, data to be communicated has a data structure including a header area, a data area that contains digital information as a substantial object of the communication, and an authentication data area that contains authentication data used for authentication of the data area.
  • Authentication data contained in the authentication data area of this data structure is generated by performing a given algorithm operation on digital information contained in the data area. The header area of this data structure contains information for identifying an algorithm used for creating authentication data or data needed to create the authentication data (in some cases, the algorithm itself). Information about data length and sequence number may also be contained if necessary.
  • A device which has received data having this data structure performs an algorithm operation on digital information contained in the data area by way of an algorithm that is identified from information contained in the header area of the received data. The result of the operation is compared with authentication data contained in the authentication data area. When the two are found to be a match as a result of the comparison, the device judges that the received data is valid or complete, whereas the device judges that the received data is invalid or incomplete when the two do not match.
  • This and similar authentication methods have come into wide use and been effective to a certain degree. However, there is room for improvement to those authentication methods.
  • In the above-mentioned authentication method, the following conditions have to be met for successful authentication in which the received data is judged to be valid or complete.
  • (1) No alteration or the like has been made to information contained in the header area of the received data, i.e., data length information or information for identifying what algorithm is used to create authentication data.
  • (2) No alteration or the like has been made to the data area.
  • (3) No error is made in an algorithm operation performed on digital information in the data area by an algorithm that is identified from the information contained in the header area of the received data.
  • Accordingly, authentication fails if even one of the conditions (1) to (3) is not fulfilled and, when authentication fails, there is no way of specifying which one of (1) to (3) is the cause.
  • If the cause of an authentication failure can be identified, for example, if it can be specified that the unfulfilment of (3) has caused an authentication failure, there is no need to obtain the data again and a reattempt at authentication can be processed efficiently. If the cause of an authentication failure cannot be identified, on the other hand, every processing step that is necessary for authentication has to be performed all over again for a reattempt at authentication.
  • An object of the present invention is to provide a technique for making it possible to identify the cause of an authentication failure.
    • DISCLOSURE OF THE INVENTION
  • In order to achieve the above-mentioned object, the present invention provides two embodiments.
  • The first embodiment provides a data structure of data to be communicated in a communication, including: a data area for containing digital information that is a substantial object of the communication; a header area attached to the data area at a head of the data to be communicated; a header authentication data area for containing header authentication data used for authentication of the header area; and an authentication data area for containing authentication data used for authentication of the data area and the header authentication data area, in which the header area contains a second algorithm information that is information for identifying an algorithm for a given algorithm operation that is performed to authenticate the data area using the authentication data.
  • The second embodiment provides a data structure of data to be communicated in a communication, including: a data area for containing digital information that is a substantial object of the communication; a header area attached to the data area at a head of the data to be communicated; a header authentication data area for containing header authentication data used for authentication of the header area; and an authentication data area for containing authentication data used for authentication of the data area, in which the header area contains a second algorithm information that is information for identifying an algorithm for a given algorithm operation that is performed to authenticate the data area using the authentication data.
  • The first embodiment and the second embodiment each have a header authentication data area for containing header authentication data. Header authentication data is for authentication of a header area. The first embodiment and the second embodiment each have an authentication data area for containing authentication data. Authentication data in the first embodiment is for authentication of a data area and of a header authentication data area. Authentication data in the second embodiment is for authentication of a data area.
  • Receiving data with a data structure of the first invention, a device can perform authentication of the header area separately from authentication of the data area and of the header authentication data area. Receiving data with the data structure of the second invention, a device can perform authentication of the header area separately from authentication of the data area. A device that receives data with such the data structure can therefore specify whether an alteration or the like is made to the header area or other areas than the header area when authentication of the data fails.
  • With the data structure according to the first embodiment or the second invention, the cause of an authentication failure can be identified. This contributes to raise the efficiency in, for example, retrying authentication processing.
  • The second algorithm information in the first embodiment and the second embodiment may be information for identifying a second algorithm (e.g., a code specifying a calculation method that is defined by a unified standard), or may be a second algorithm itself.
  • Data with the data structure according to the first embodiment or the second embodiment has a header area, a data area, a header authentication data area, and an authentication data area in sequence. The sequence is headed by the header area. The data area, the header authentication data area, and the authentication data area follow the header area in an arbitrary order.
  • The header authentication data area may be positioned immediately after the header area, for example. This is convenient since a device receiving data with the data structure of the first embodiment or the second embodiment can perform authentication on the header area as soon as the header area and the header authentication data area are received. For instance, when the authentication of the header area fails, the device can stop obtaining the subsequent areas of the data. This makes it possible to avoid loading data from the data area when an invalid code such as a virus is contained within the data area, and thereby prevent the invalid code from infiltrating the device performing authentication.
  • The header area of data with the data structure according to the first embodiment or the second embodiment may record information about the data length of the data area. This enables a device receiving the data to know where the data area starts and ends in performing authentication on the data area. The header area of data with a data structure according to the first embodiment or the second embodiment may contain at least one of information about the data length of the header area, information about the data length of the header authentication data area, and information about the data length of the authentication data area. Data indicating a break point between different kinds of data may be buried at the heads or tails of the header area, the header authentication data area, the data area, and the authentication data area, so that a device receiving the data can know where the data area starts and ends in performing authentication on the data area.
  • The header area of data with the data structure according to the first embodiment or the second embodiment may contain a first algorithm information, which is information for specifying what algorithm is employed in a given algorithm operation when authentication using the header authentication data is performed on the header area. When a first algorithm used in a device that performs authentication is determined in advance, there is no need to bury information for identifying the first algorithm in the header area. The first algorithm information in the first embodiment and the second invention, if it is needed to be contained in the header area, may be information for identifying the first algorithm (e.g., a code specifying a calculation method that is defined by a unified standard), or may be the first algorithm itself.
  • Data with the data structure according to the first embodiment and data with the data structure according to the second embodiment can be created by, for example, devices described below.
  • The data with the data structure according to the first embodiment can be created using a data processing device for processing data that has a data area for containing digital information as a substantial object of a communication, including: means for creating data of a header area attached to the data area at a head of the data to be communicated; means for creating data of a header authentication data area based on data that is contained in the header area and a first algorithm with which a given algorithm operation is performed on this data, the header authentication data area data being used for authentication of the header area; means for creating authentication data used for authentication of the data area and the header authentication data area, based on data that is contained in the data area and the header authentication data area and a second algorithm with which a given algorithm operation is performed on this data; and integrating means for integrating the digital information, the header area data, the header authentication data, and the authentication data to constitute the data area, the header area, the header authentication data area, and the authentication data area, respectively, with the header area placed at a head of the integrated data, in which the means for creating data of the header area makes the header area data contain a second algorithm information that is information for identifying the second algorithm.
  • The data with the data structure according to the second embodiment can be created using a data processing device for processing data that has a data area for containing digital information as a substantial object of a communication, including: means for creating data of a header area attached to the data area at a head of the data to be communicated; means for creating data of a header authentication data area based on data that is contained in the header area and a first algorithm with which a given algorithm operation is performed on this data, the header authentication data area data being used for authentication of the header area; means for creating authentication data used for authentication of the data area, based on data that is contained in the data area and a second algorithm with which a given algorithm operation is performed on this data; and integrating means for integrating the digital information, the header area data, the header authentication data, and the authentication data to constitute the data area, the header area, the header authentication data area, and the authentication data area, respectively, with the header area placed at a head of the integrated data, in which the means for creating data of the header area makes the header area data contain a second algorithm information that is information for identifying the second algorithm.
  • The integrating means in these data processing devices may place the header authentication data area right behind the header area. Data created by such data processing devices has a data structure in which the header authentication data area immediately follows the header area. In this case, the means for creating header area data in the data processing devices may create data of specific size for the header area. By thus fixing the data length of the header area, in other words, by giving the header area a pre-arranged data length, the need is eliminated for the header area to contain information about the data length of the header area, and the header area data length is prevented from being faked. It also fixes the start point of the data area, thereby facilitating prevention of alteration of the data area.
  • The means for creating header area data in the data processing devices may record information about the data length of the data area in data of the header area. This means may make the header area contain at least one of information about the data length of the header area, information about the data length of the header authentication data area, and information about the data length of the authentication data area. The means for creating the header area, the means for creating the header authentication data area, the means for creating the data area, and the means for creating the authentication data area in the data processing devices may each bury data that indicates a break point between different kinds of data at the head or tail of data it creates.
  • In each of the above data processing devices, the means for creating header area data may make the header area contain a first algorithm information, which is information for specifying what algorithm is used in a given algorithm operation when authentication using the header authentication data is performed on the header area.
  • Data with a data structure according to the first embodiment and data with a data structure according to the second embodiment can be created by, for example, methods described below.
  • The data with the data structure according to the first embodiment can be created using a data processing method executed in a data processing device for processing data that has a data area for containing digital information as a substantial object of a communication, including the steps of: creating, by the data processing device, data of a header area attached to the data area at a head of the data to be communicated; creating, by the data processing device, data of a header authentication data area based on data that is contained in the header area and a first algorithm with which a given algorithm operation is performed on this data, the header authentication data area data being used for authentication of the header area; creating, by the data processing device, authentication data used for authentication of the data area and the header authentication data area, based on data that is contained in the data area and the header authentication data area and a second algorithm with which a given algorithm operation is performed on this data; and integrating, by the data processing device, the digital information, the header area data, the header authentication data, and the authentication data to constitute the data area, the header area, the header authentication data area, and the authentication data area, respectively, with the header area placed at a head of the integrated data, in which, in the step of creating data of the header area, a second algorithm information that is information for identifying the second algorithm is contained in the header area data.
  • The data with the data structure according to the second embodiment can be created using a data processing method executed in a data processing device for processing data that has a data area for containing digital information as a substantial object of a communication, including the steps of: creating, by the data processing device, data of a header area attached to the data area at a head of the data to be communicated; creating, by the data processing device, data of a header authentication data area based on data that is contained in the header area and a first algorithm with which a given algorithm operation is performed on this data, the header authentication data area data being used for authentication of the header area; creating, by the data processing device, authentication data used for authentication of the data area, based on data that is contained in the data area and a second algorithm with which a given algorithm operation is performed on this data; and integrating, by the data processing device, the digital information, the header area data, the header authentication data, and the authentication data to constitute the data area, the header area, the header authentication data area, and the authentication data area, respectively, with the header area placed at a head of the integrated data, in which, in the step of creating data of the header area, a second algorithm information that is information for identifying the second algorithm is contained in the header area data.
  • The above-mentioned devices which create the data with the data structure according to the first embodiment and the data with the data structure according to the second embodiment may be dedicated devices. Alternatively, general-purpose computers can serve as these devices when, for example, computer programs described below are employed.
  • The above-mentioned device for creating the data with the data structure according to the first embodiment can be manufactured using the following computer program. That is, there is provided a computer program for causing a computer to function as a data processing device for processing data that has a data area for containing digital information as a substantial object of a communication, in which the computer is caused to function as: means for creating data of a header area attached to the data area at a head of the data to be communicated; means for creating data of a header authentication data area based on data that is contained in the header area and a first algorithm with which a given algorithm operation is performed on this data, the header authentication data area data being used for authentication of the header area; means for creating authentication data used for authentication of the data area and the header authentication data area, based on data that is contained in the data area and the header authentication data area and a second algorithm with which a given algorithm operation is performed on this data; and integrating means for integrating the digital information, the header area data, the header authentication data, and the authentication data to constitute the data area, the header area, the header authentication data area, and the authentication data area, respectively, with a header area placed at the head of the integrated data, and in which the means for creating data of the header area makes the header area data contain a second algorithm information that is information for identifying the second algorithm.
  • The above-mentioned device for creating the data with the data structure according to the second embodiment can be manufactured using the following computer program. That is, there is provided a computer program for causing a computer to function as a data processing device for processing data that has a data area for containing digital information as a substantial object of a communication, in which the computer is caused to function as: means for creating data of a header area attached to the data area at a head of the data to be communicated; means for creating data of a header authentication data area based on data that is contained in the header area and a first algorithm with which a given algorithm operation is performed on this data, the header authentication data area data being used for authentication of the header area; means for creating authentication data used for authentication of the data area, based on data that is contained in the data area and a second algorithm with which a given algorithm operation is performed on this data; and integrating means for integrating the digital information, the header area data, the header authentication data, and the authentication data to constitute the data area, the header area, the header authentication data area, and the authentication data area, respectively, with a header area placed at the head of the integrated data, and in which the means for creating data of the header area makes the header area data contain a second algorithm information that is information for identifying the second algorithm.
  • The above computer programs may be recorded in recording media.
  • The data with the data structure according to the first embodiment and the data with the data structure according to the second embodiment can be authenticated by, for example, devices described below.
  • The device for authenticating the data with the data structure according to the first embodiment is an authentication device that receives data having the data structure of the first embodiment and performs authentication on the data, including: a header authentication means for performing an algorithm operation on the header area with the use of a first algorithm, which is employed in the algorithm operation in creating the header area, and judging whether a result of the algorithm operation matches the header authentication data or not; and an authentication means for performing an algorithm operation on the data area and the header authentication data area with the use of a second algorithm that is identified from the second algorithm information contained in the header area, and judging whether a result of the algorithm operation matches the authentication data or not.
  • The device for authenticating the data with the data structure according to the second embodiment is an authentication device that receives data having the data structure of the second embodiment and performs authentication on the data, including: a header authentication means for performing an algorithm operation on the header area with the use of a first algorithm, which is employed in the algorithm operation in creating the header area, and judging whether a result of the algorithm operation matches the header authentication data or not; and an authentication means for performing an algorithm operation on the data area with the use of a second algorithm that is identified from the second algorithm information contained in the header area, and judging whether a result of the algorithm operation matches the authentication data or not.
  • The authentication means in the authentication devices may not carry out the algorithm operation when the header authentication device judges that a result of the algorithm operation performed on the header area using the first algorithm does not match the header authentication data.
  • The header authentication means may start the algorithm operation as soon as the header area and the header authentication data area are received in the case where data with the data structure according to the first embodiment or the second embodiment has the header authentication data area right behind the header area. In this case, the authentication devices may further include means for performing processing of discontinuing reception of data after the header authentication means judges that a result of the algorithm operation performed on the data by the header authentication means does not match the header authentication data. This means is expected to prevent troubles caused by receiving the entirety of data that is suspected of being altered, for example, troubles that a virus or other invalid codes contained in the data area may cause.
  • The data with the data structure according to the first embodiment and the data with the data structure according to the second embodiment can be authenticated by, for example, methods described below.
  • The method of authenticating the data with the data structure according to the first embodiment is an authentication method executed in an authentication device that receives data having the data structure of the first embodiment and performs authentication on the data, including the steps of: performing, by the authentication device, an algorithm operation on the header area with the use of a first algorithm, which is employed in the algorithm operation in creating the header area, and judging whether a result of the algorithm operation matches the header authentication data or not; and performing, by the authentication device, an algorithm operation on the data area and the header authentication data area with the use of a second algorithm that is identified from a second algorithm information contained in the header area, and judging whether a result of the algorithm operation matches the authentication data or not.
  • The method of authenticating the data with the data structure according to the second embodiment is an authentication method executed in an authentication device that receives data having the data structure of the second embodiment and performs authentication on the data, including the steps of: performing, by the authentication device, an algorithm operation on the header area with the use of a first algorithm, which is employed in the algorithm operation in creating the header area, and judging whether a result of the algorithm operation matches the header authentication data or not; and performing, by the authentication device, an algorithm operation on the data area with the use of a second algorithm that is identified from a second algorithm information contained in the header area, and judging whether a result of the algorithm operation matches the authentication data or not.
  • The above-mentioned devices which authenticate data with a data structure according to the first embodiment and data with a data structure according to the second embodiment may be dedicated devices. Alternatively, general-purpose computers can serve as these devices when, for example, computer programs described below are employed.
  • The above-mentioned device for creating the data with the data structure according to the first embodiment can be manufactured using the following computer program. That is, there is provided a computer program for causing a given computer to function as an authentication device that receives data having a data structure of the first embodiment and performs authentication on the data, in which the computer is caused to function as: a header authentication means for performing an algorithm operation on the header area with the use of a first algorithm, which is employed in the algorithm operation in creating the header area, and judging whether a result of the algorithm operation matches the header authentication data or not; and an authentication means for performing an algorithm operation on the data area and the header authentication data area with the use of a second algorithm that is identified from the second algorithm information contained in the header area, and judging whether a result of the algorithm operation matches the authentication data or not.
  • The above-mentioned device for creating the data with the data structure according to the second embodiment can be manufactured using the following computer program. That is, there is provided a computer program for causing a given computer to function as an authentication device that receives data having the data structure of the second embodiment and performs authentication on the data, in which the computer is caused to function as: a header authentication means for performing an algorithm operation on the header area with the use of a first algorithm, which is employed in the algorithm operation in creating the header area, and judging whether a result of the algorithm operation matches the header authentication data or not; and an authentication means for performing an algorithm operation on the data area with the use of a second algorithm that is identified from the second algorithm information contained in the header area, and judging whether a result of the algorithm operation matches the authentication data or not.
  • The above computer programs may be recorded in recording media.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a schematic diagram showing an overall configuration of a communication system according to a first embodiment.
  • FIG. 2 is a schematic diagram showing a hardware configuration of a terminal shown in FIG. 1.
  • FIG. 3 is a block diagram showing function blocks formed inside the terminal shown in FIG. 1.
  • FIG. 4 is a conceptual diagram showing contents of data recorded in an algorithm holding portion shown in FIG. 3.
  • FIG. 5 is a function block diagram showing an interior of a data creating portion shown in FIG. 3.
  • FIG. 6 is a function block diagram showing an interior of a data authentication portion shown in FIG. 3.
  • FIG. 7 is a flow chart showing a processing flow of data creating processing, which is executed by the data creating portion of the terminal shown in FIG. 1.
  • FIGS. 8A to 8C are conceptual diagrams showing an example of a header authentication data creating method.
  • FIG. 9 is a conceptual diagram showing a data structure of data created by the terminal.
  • FIG. 10 is a flow chart showing the processing flow of data authentication processing, which is executed by the data authentication portion of the terminal shown in FIG. 1.
    • BEST MODE FOR CARRYING OUT THE INVENTION
  • Detailed descriptions will be given with reference to the drawings on first through third preferred embodiments of the present invention.
  • The descriptions of the embodiments employ common symbols for common components, and redundant descriptions may be omitted.
    • First Embodiment
  • Described in the first embodiment is a communication system that is shown in FIG. 1 as terminals 1 connected to one another by a network N. The terminals 1 are capable of exchanging e-mail and the network N is, for example, the Internet.
  • The terminals 1 correspond to both a data processing device and an authentication device of the present invention. E-mail exchanged between the terminals 1 corresponds to data with a data structure according to the present invention. Each of the terminals 1 can create data about a piece of e-mail and can authenticate the received data.
  • A configuration of the terminals 1 is described.
  • The terminals 1 have basically the same configuration. Each terminal 1 has a general-purpose computer machine body 11 such as a common personal computer. The computer machine body 11 is connected to an input device 12, which is composed of a keyboard, a mouse and the like, and a display device 13 for displaying images.
  • The terminal 1 also has a disk drive 14 for reading given data or a computer program out of a recording medium M, which is, for example, a CD-ROM. The recording medium M shown in FIG. 1 records a computer program according to the present invention. The computer machine body 1 reads the computer program recorded in the recording medium M out of the recording medium M loaded into the disk drive 14. When installed, the computer program gives the computer machine body 11 functions of both the data processing device and data authentication device of the present invention.
  • The computer program may give the computer machine body 11 functions of both the data processing device and data authentication device of the present invention, alone or in cooperation with an OS installed in the computer, another computer program, or data.
  • The computer machine body 11 contains, as shown in FIG. 2, a CPU (Central Processing Unit) 21, a ROM (Read Only Memory) 22, a RAM (Random Access Memory) 23, an interface 24, and a bus 25 which connects these components to one another.
  • The CPU 21 executes given processing by executing a given computer program.
  • The ROM 22 is a recording medium that stores a computer program for operating the CPU 21, data necessary for controlling the display device 13, and the like.
  • The RAM 23 provides a work area for the CPU 21 to process data.
  • The interface 24 functions as a port through which data is exchanged with the external. Through the interface 24, an input is made from the input device 12 and the disk drive 14 and an output of image data is made to the display device 13. The computer machine body 11 communicates with another terminal 1 through the interface 24 and the network N.
  • The CPU 21 incorporated in the terminal 1 of the present invention forms the following function blocks by executing the above-mentioned computer program.
  • The function blocks formed include, as shown in FIG. 3, an input/output management portion 31, a control portion 32 and a data obtaining portion 33. The terminal 1 in this embodiment has a function of creating e-mail, but a description on this function will be omitted.
  • The input/output management portion 31 controls communications between the terminals 1 over the network N, and has a function of sending data to another terminal 1 or receiving data from another terminal 1.
  • The control portion 32 has a function of executing data creating processing and data authentication processing which will be described later.
  • The data obtaining portion 33 obtains, when the control portion 32 executes data creating processing, digital information that is a substantial object of the transmission from another component of the terminal 1. The data obtaining portion 33 sends the digital information as a substantial object of the transmission to the control portion 32, more specifically, to a data creating portion 321.
  • The control portion 32 has the data creating portion 321, a data authentication portion 322 and an algorithm holding portion 323.
  • The data creating portion 321 has a function of creating transmission data by executing data creating processing, which will be described later, using digital information that is sent from the data obtaining portion 33.
  • The data authentication portion 322 performs data authentication processing, which will be described later, on data that is received by the input/output management portion 31 from another terminal 1.
  • The algorithm holding portion 323 records information about an algorithm used by the data creating portion 321 or the data authentication portion 322 when the data creating processing or the data authentication processing is executed. Plural algorithms are recorded in the algorithm holding portion 323 in a state shown in FIG. 4. Algorithm 1, Algorithm 2, Algorithm 3 . . . represent the recorded algorithms.
  • Identifier codes are also recorded in the algorithm holding portion 323 in a state shown in FIG. 4. Identifier Code 1, Identifier Code 2, Identifier Code 3 . . . represent the recorded identifier codes. An identifier code is associated with an algorithm denoted by the same number, so that once the identifier code is identified, the algorithm denoted by the same number as the identifier code is identified. The data size of an identifier code is much smaller than that of an algorithm.
  • The data creating portion 321 is as shown in FIG. 5.
  • The data creating portion 321 has a header creating portion 321A, a header authentication data creating portion 321B, an authentication data creating portion 321C, and a data integrating portion 321D.
  • The header creating portion 321A creates, when transmitting digital information that is received by the data creating portion 321 from the data obtaining portion 33, data about a header attached to a data area, which is an area containing the digital information to be transmitted. Header area data contains information about the sender terminal 1, the address of the receiver terminal 1, an identifier code as the one described above, and the like, which will be described later. The data about the header later constitutes a header area.
  • The header authentication data creating portion 321B has a function of creating header authentication data, which is needed when the terminal 1 receiving the created data executes header area authentication processing. The header authentication data later constitutes a header authentication data area.
  • The authentication data creating portion 321C creates authentication data, which is needed when the terminal 1 receiving the created data executes authentication processing of the header authentication data area and the data area. The authentication data later constitutes an authentication data area.
  • The data integrating portion 321D combines digital information received from the data obtaining portion 33 with header data created by the header creating portion 321A, header authentication data created by the header authentication data creating portion 321B, and authentication data created by the authentication data creating portion 321C, to thereby make them into a sequence of data. In this data, the digital information constitutes the data area, the header data constitutes the header area, the header authentication data constitutes the header authentication data area, and the authentication data constitutes the authentication data area.
  • The thus created data is transferred to the input/output management portion 31 to be sent to another terminal 1 that is indicated by the address written in the header area.
  • The data authentication portion 322 is as shown in FIG. 6.
  • The data authentication portion 322 has a header authentication portion 322A, an authentication portion 322B, a cancellation processing portion 322C and a temporary storage portion 322D.
  • The temporary storage portion 322D has a function of receiving, from the input/output management portion 31, data that is sent from another terminal 1 to be authenticated and temporarily storing the received data.
  • The header authentication portion 322A has a function of authenticating validity of the header area. The header authentication portion 322A reads header data area and header authentication data area data among data recorded in the temporary storage portion 322D, and performs the authentication.
  • The authentication portion 322B has a function of authenticating the validity of the data area and the header authentication data area. The authentication portion 322B reads header area data, header authentication data area data, data area data, and authentication data area data among data recorded in the temporary storage portion 322D, and performs the authentication.
  • The cancellation processing portion 322C has a function of deciding to perform processing of discontinuing reception of data after the header authentication portion 322A judges that the data contains an invalid header area. When the cancellation processing portion 322C decides to carry out the processing, information about the decision is sent to the input/output management portion 31. Receiving the information, the input/output management portion 31 discontinues the reception of the data that has the invalid header area if the reception of the data is still in progress.
  • Described next is an operation of the terminals 1 in this communication system.
  • As described above, the terminals 1 exchange e-mail with one another in this communication system. The terminal 1 that sends e-mail creates e-mail data (data creating processing), and the terminal 1 that receives e-mail performs authentication on the e-mail data (data authentication processing).
  • The data creating processing and the data authentication processing are described below.
  • [Data Creating Processing]
  • FIG. 7 shows a flow of processing executed by the data creating portion 321 in the data creating processing.
  • The data creating processing is performed upon transmission of e-mail in this embodiment.
  • When a user creates e-mail contents by operating the input device 12 of the terminal 1, digital information about the e-mail contents is created. The digital information is the substantial object of the transmission.
  • First, the data creating portion 321 obtains the digital information from the data obtaining portion 33, which has obtained the digital information as the substantial object of the transmission (S401). The digital information equals the data area.
  • Next, the header creating portion 321A creates the header data (S402). The header data later constituting the header area contains information about the sender terminal 1 and the address of the receiver terminal 1. The header data also contains information about the length of the authentication data and an identifier code associated with an algorithm that is used in authentication data creation, which will be described later. In this embodiment, the header creating portion 321A selects, from algorithms recorded in the algorithm holding portion 323, an algorithm that is used in creating the header authentication data and an algorithm that is used in creating the authentication data, and buries in the header area an identifier code associated with the algorithm that is used in creating the authentication data. Identifier Code 2 is contained, in this embodiment, in respective header data as the identifier code associated with the algorithm that is used in creating the authentication data. In this embodiment, Algorithm 1 is always used in creating the header authentication data. This information is shared among the terminals 1.
  • The header creating portion 321A sends, to the header authentication data creating portion 321B, information about which algorithm should be used in creating the header authentication data and sends, to the authentication data creating portion 321C, information about which algorithm is used in creating the authentication data.
  • In this embodiment, every header area (header data) created has a predetermined size. Information about the header area size is shared among the terminals 1 in this embodiment.
  • The header creating portion 321A sends the created header area data to the header authentication data creating portion 321B and to the data integrating portion 321D.
  • Next, the header authentication data creating portion 321B creates the header authentication data (S403).
  • The header authentication data creating portion 321B receives, prior to creating the header authentication data, from the header creating portion 321A, information about which algorithm should be used in creating the header authentication data and the created header data. Based on the received information and header data, the header authentication data creating portion 321B creates the header authentication data.
  • To be more specific, the header authentication data creating portion 321C reads, out of the algorithm holding portion 323, an algorithm that is specified by the received identifier code (Algorithm 1 in this embodiment), and performs an algorithm operation on the received header area using the read algorithm. The header authentication data is created as a result of the algorithm operation. The created header authentication data is sent to the authentication data creating portion 321C and to the data integrating portion 321D.
  • The algorithm operation can be any operation specified by an algorithm. Known methods such as CBC-MAC (Cipher Block Chaining-Message Authentication Code) may be employed, and a new calculation method may also be employed.
  • In this embodiment, the algorithm operation is performed as shown in FIGS. 8A to 8C.
  • In this embodiment, first, header data shown in FIG. 8A is equally divided into n parts as shown in FIG. 8B. Next, as shown in FIG. 8C, a specific calculation (denoted by “E” in the drawing; usually block encryption such as DES and AES is used) is performed on the divided data, starting from the front of the header data, and the result of the specific calculation is added (denoted by “+” in the drawing) to the next part of the divided data before performing the specific calculation again and adding the result of the specific calculation to the subsequent part of the divided data. This is repeated until the n-th part of the data. The final result is header authentication data.
  • Next, the authentication data creating portion 321C creates authentication data (S404).
  • Prior to creating authentication data, the authentication data creating portion 321C receives from the header creating portion 321A information about which algorithm should be used in creating authentication data. The authentication data creating portion 321C also receives in advance the created header authentication data from the header authentication data creating portion 321B and the digital information constituting the data area from the data obtaining portion 33.
  • Based on the received information and header authentication data, the authentication data creating portion 321C creates the authentication data area.
  • To be more specific, the authentication data creating portion 321C reads, out of the algorithm holding portion 323, an algorithm that is specified by the received identifier code (Algorithm 2 in this embodiment), and uses the read algorithm in performing an algorithm operation on a combination of the received header authentication data and digital information. Authentication data is created as a result of the algorithm operation.
  • The algorithm operation can be any operation specified by an algorithm as in the above case.
  • The created authentication data is sent to the data integrating portion 321D.
  • Next, the data integrating portion 321D integrates the data (S405).
  • The data integrating portion 321D receives in advance the digital information from the data obtaining portion 33, the header data from the header creating portion 321A, the header authentication data from the header authentication data creating portion 321B, and authentication data from the authentication data creating portion 321C.
  • The data integrating portion 321D integrates the received data into a sequence of data to be communication data. The digital information constitutes the data area, the header data constitutes the header area, the header authentication data constitutes the header authentication data area, and the authentication data constitutes the authentication data area. This transmission data is as shown in FIG. 9, and has a header area D1 at the head, and subsequently a header authentication data area D2, a data area D3 and an authentication data area D4 in the order stated.
  • This data is transferred to the input/output management portion 31 to be sent to another terminal 1 via the network N.
  • [Data Authentication Processing]
  • FIG. 10 shows the flow of processing executed by the data authentication portion 322 as the data authentication processing.
  • The data authentication processing is executed upon e-mail reception in this embodiment. For convenience of explanation, e-mail received here is the data described in the [Data Creating Processing] section.
  • When the terminal 1 receives e-mail from another terminal 1, data about the received e-mail is sent to the data authentication portion 322 through the input/output management portion 31. This causes the data authentication portion 322 to start receiving the data (S501).
  • The data started to be received is temporarily stored in the temporary storage portion 322D. The data is received sequentially from the left hand side of the data structure shown in FIG. 9 and recorded in the temporary storage portion 322D sequentially from the left hand side of the data structure shown in FIG. 9.
  • Next, the header authentication portion 322A performs header authentication. Header authentication may be carried out after the entirety of data is received. In this embodiment, however, header authentication is started before the reception of the data is completed, more specifically, as soon as the header area D1 and the header authentication data area D2 are received (and recorded in the temporary storage portion 322D).
  • The header authentication portion 322A of this embodiment therefore monitors for whether or not the header area D1 and the header authentication data area D2 have been received, in other words, whether or not the recording of the header area D1 and the header authentication data area D2 in the temporary storage portion 322D has been completed (S502).
  • When the header authentication data area D2 finishes being recorded in the temporary storage portion 322D (S502: YES), the header authentication portion 322A starts header authentication (S503). In the case where the recording of the header authentication data area D2 in the temporary storage portion 322D has not been completed (S502: NO), the header authentication portion 322A continues the monitoring described above.
  • Header authentication is performed as follows.
  • The header authentication portion 322A reads out of the algorithm holding portion 323 Algorithm 1 as an algorithm used in authentication of the header area. The terminals 1, which share information that Algorithm 1 should be used as an algorithm for creating header authentication data as mentioned above, also share information that Algorithm 1 should be used in header authentication performed on the header area. The header authentication portion 322A also reads the header area D1 and the header authentication data area D2 out of the temporary storage portion 322D.
  • Upon completion of the reading, the header authentication portion 322A performs an operation specified by Algorithm 1 on the header area. The algorithm operation is performed the same way as in the header authentication data creation described in the [Data Creating Processing] section. In the case where the header area D1 has not been altered and no data is missing, the result of the algorithm operation performed on the header area matches the header authentication data.
  • The header authentication portion 322A judges whether the header area D1 is valid or not from whether or not the two are a match (S504).
  • If it is judged that the header area D1 is invalid (S504: NO), the header authentication portion 322A informs the cancellation processing portion 322C of the fact. Informed of the fact, the cancellation processing portion 322C performs cancellation processing (S505). The cancellation processing is for discontinuing reception of data containing the header area D1 that is authenticated unsuccessfully in header authentication. The cancellation processing portion 322C informs the input/output management portion 31 of the fact that the cancellation processing is executed. The input/output management portion 31 discontinues the reception of the data at this point if the reception of the data is still in progress. When the header area D1 is invalid, there is a high risk that an invalid code is contained in the data area D3. Discontinuing reception of data in this manner increases the chance of avoiding troubles that result from receiving invalid codes.
  • When the header authentication portion 322A judges that the header area D1 is invalid (S504: NO), this information is sent also to the authentication portion 322B. The authentication portion 322B understands that the authentication failure is due to unsuccessful authentication of the header area D1 (S506).
  • If it is judged that the header area D is valid (S504: YES), the header authentication portion 322A informs the authentication portion 322B of the fact.
  • This causes the authentication portion 322B to carry out authentication of the header authentication data area D2 and the data area D3.
  • In this embodiment, the authentication portion 322B starts the authentication when reception of the entire data is completed, in other words, after the authentication data area D4 is received (and recorded in the temporary storage portion 322D).
  • The authentication portion 322B of this embodiment therefore monitors for whether reception of the entirety of data has been completed or not, in other words, whether or not the authentication data area D4 has finished being recorded in the temporary storage portion 322D (S507).
  • When the authentication data area D4 finishes being recorded in the temporary storage portion 322D (S507: YES), the authentication portion 322B starts header authentication (S508). In the case where the recording of the authentication data area D4 in the temporary storage portion 322D has not been completed (S507: NO), the authentication portion 322B continues the monitoring described above.
  • Prior to performing the authentication, the authentication portion 322B reads the header authentication data area D2, the data area D3 and the authentication data area D4 out of the temporary storage portion 322D. The authentication portion 322B also reads out of the header area D1 an identifier code as information for specifying which algorithm the authentication portion 322B is used to perform the authentication. The read identifier code is associated with Algorithm 2 as mentioned above.
  • Upon completion of the reading, the authentication portion 322B performs an operation specified by Algorithm 2, which is associated with the identifier code, on the header authentication data area D2 and the data area D3. For this algorithm operation, an algorithm associated with the identifier code is read out of the algorithm holding portion 323. The algorithm operation is performed the same way as in the authentication data creation described in the [Data Creating Processing] section. In the case where the header authentication data area D2 and the data area D3 have not been altered and no data is missing, the result of the algorithm operation matches the authentication data.
  • The authentication portion 322B judges whether the header authentication data area D2 and the data area D3 are valid or not from whether or not the result matches the authentication data (S509).
  • In the case where the authentication portion 322B judges that the header authentication data area D2 and the data area D3 are invalid (S509: NO), the authentication portion 322B grasps that the authentication failure is due to the fact that the header authentication data area D2 or the data area D3 is invalid (S506).
  • If it is judged that the header authentication data area D2 and the data area D3 are valid (S509: YES), the authentication portion 322B determines that the authentication of the data is a complete success (S510).
  • The data authentication processing is thus ended.
  • In this embodiment, the authentication portion 322B grasps the cause of an authentication failure as described above. This can be utilized in performing the data authentication processing again, and is also effective as data for statistically examining authentication failure patterns.
  • The terminal 1 in this embodiment has functions of both the data processing device and authentication device of the present invention.
  • Alternatively, the terminal 1 may have only one of the data processing device function and the authentication device function. In this case, the terminal 1 that functions only as the data processing device does not have the data authentication portion 322 out of the function blocks of the above terminal 1 whereas the terminal 1 that functions only as the authentication device does not have the data creating portion 321 out of the function blocks of the above terminal 1.
    • Second Embodiment
  • The terminals 1 according to a second embodiment are substantially the same as the terminals 1 in the first embodiment. In the second embodiment too, the terminals 1 can exchange e-mail with one another and are connected to one another via the network N, which is, for example, the Internet, to constitute the communication system shown in FIG. 1.
  • The terminals 1 according to the second embodiment correspond to both the data processing device and authentication device of the present invention. E-mail exchanged between the terminals 1 corresponds to data with a data structure according to the present invention. Each of the terminals 1 can create data about a piece of e-mail and can authenticate the data received.
  • Each terminal 1 has the same configuration as in the first embodiment. The terminal 1 of the second embodiment has the hardware configuration shown in FIG. 2 as does the terminal 1 of the first embodiment. The terminal 1 of the second embodiment, too, obtains the functions of both the data processing device and authentication device of the present invention by reading a computer program out of the given recording medium M.
  • By executing the above computer program, the CPU 21 contained in the terminal 1 of the second embodiment forms the same function blocks as those in the first embodiment.
  • The function blocks formed in the second embodiment are as shown in FIG. 3 as in the first embodiment.
  • What make the second embodiment different from the first embodiment are functions of the authentication data creating portion 321C and the authentication portion 322B.
  • A description is given below on functions of the authentication data creating portion 321C and the authentication portion 322B that are formed in the terminal 1 of the second embodiment.
  • The authentication data creating portion 321C that is formed in the terminal 1 of the second embodiment creates authentication data based on digital information, unlike the case of the first embodiment.
  • The authentication data creating portion 321C in the terminal 1 of the second embodiment reads, prior to creating authentication data, out of the header creating portion 321A, which algorithm should be used in creating authentication data. The authentication data creating portion 321C also receives in advance digital information constituting the data area from the data obtaining portion 33. Based on the received information, the authentication data creating portion 321C creates authentication data.
  • To be more specific, the authentication data creating portion 321C reads out of the algorithm holding portion 323 an algorithm that is specified by the received identifier code, and performs an algorithm operation on the data area received in advance by using the read algorithm. Authentication data is created as a result of the algorithm operation.
  • Next, the authentication portion 322B formed in the terminal 1 of the second embodiment is described.
  • The authentication portion 322B in the second embodiment performs authentication on the data area out of the areas of the received data, instead of the header authentication data area and the data area as in the first embodiment.
  • Prior to performing the authentication, the authentication portion 322B in the second embodiment reads out of the header area an identifier code as information for specifying which algorithm the authentication portion 322B uses to perform authentication on the data area D3. The authentication portion 322B also reads the data area D3 and the authentication data area D4 out of the temporary storage portion 322D.
  • Upon completion of the reading, the authentication portion 322B performs an operation specified by the algorithm that is associated with the identifier code. For this algorithm operation, an algorithm associated with the identifier code is read out of the algorithm holding portion 323. In the case where the data area D3 has not been altered and no data is missing, the result of the algorithm operation matches the authentication data.
  • The authentication portion 322B judges whether the data area D3 is valid or not from whether or not the result matches the authentication data.
  • The overall processing flow of data creating processing and data authentication processing executed in the terminal 1 of the second embodiment is the same as in the first embodiment.
    • Third Embodiment
  • The terminals 1 according to a third embodiment are substantially the same as the terminals 1 in the first embodiment. In the third embodiment too, the terminals 1 can exchange e-mail with one another and are connected to one another via the network N, which is, for example, the Internet, to constitute the communication system shown in FIG. 1.
  • The terminals 1 according to the third embodiment correspond to both the data processing device and authentication device of the present invention. E-mail exchanged between the terminals 1 corresponds to data with a data structure according to the present invention. Each of the terminals 1 can create data about a piece of e-mail and can authenticate the data received.
  • Each terminal 1 has the same configuration as in the first embodiment. The terminal 1 of the third embodiment has the hardware configuration shown in FIG. 2 as does the terminal 1 of the first embodiment. The terminal 1 of the third embodiment, too, obtains the functions of both the data processing device and authentication device of the present invention by reading a computer program out of the given recording medium M.
  • Executing the above computer program, the CPU 21 contained in the terminal 1 of the third embodiment forms the same function blocks as those in the first embodiment.
  • The function blocks formed in the third embodiment are as shown in FIG. 3 as in the first embodiment.
  • The third embodiment differs from the first embodiment in that the terminals 1 in the third embodiment do not share information about which algorithm should be used as an algorithm for creating header authentication data and information about which algorithm should be used in header authentication performed on the header area.
  • This difference gives the header creating portion 321A and header authentication portion 322A of the terminal 1 in the third embodiment functions that are different from those of the terminal 1 in the first embodiment.
  • A description is given below on functions of the header creating portion 321A and the header authentication portion 322A that are formed in the terminal 1 of the third embodiment.
  • The header creating portion 321A formed in the terminal 1 of the third embodiment makes header area data contain, in addition to the aforementioned information, an identifier code for specifying which algorithm is used in creating header authentication data.
  • The header authentication portion 322A formed in the terminal 1 of the third embodiment reads, in performing header authentication, out of the header area data, the identifier code for specifying which algorithm is used in performing authentication of the header area. The header authentication portion 322A also reads out of the algorithm holding portion 323 an algorithm that is identified by the read identifier code, and performs an operation specified by the algorithm on the header area data.
  • The overall processing flow of data creating processing and data authentication processing executed in the terminal 1 of the third embodiment is the same as in the first embodiment.

Claims (32)

1. A data structure of data to be communicated in a communication, comprising:
a data area for containing digital information that is a substantial object of the communication;
a header area attached to the data area at a head of the data to be communicated;
a header authentication data area for containing header authentication data used for authentication of the header area; and
an authentication data area for containing authentication data used for authentication of the data area and the header authentication data area,
wherein the header area contains a second algorithm information that is information for identifying an algorithm for a given algorithm operation that is performed to authenticate the data area using the authentication data.
2. The data structure according to claim 1, wherein the header area contain information about a data length of the data area.
3. The data structure according to claim 1, wherein the header area contains a first algorithm information that is information for identifying an algorithm for a given algorithm operation that is performed to authenticate the header area using the header authentication data.
4. The data structure according to claim 1, wherein the header authentication data area is placed immediately behind the header area.
5. An authentication device that receives data having a data structure of claim 1 and performs authentication on the data, comprising:
a header authentication means for performing an algorithm operation on the header area with the use of a first algorithm, which is employed in the algorithm operation in creating the header area, and judging whether a result of the algorithm operation matches the header authentication data or not; and
an authentication means for performing an algorithm operation on the data area and the header authentication data area with the use of a second algorithm that is identified from the second algorithm information contained in the header area, and judging whether a result of the algorithm operation matches the authentication data or not.
6. The authentication device according to claim 1, wherein the authentication means does not carry out the algorithm operation when the header authentication means judges that a result of the algorithm operation performed on the header area based on the first algorithm does not match the header authentication data.
7. The authentication device according to claim 6, wherein, in a case where the header authentication data area is placed immediately behind the header area,
the header authentication means starts the algorithm operation as soon as the header area and the header authentication data area are received, and
wherein the authentication device further comprises means for performing processing of discontinuing reception of data after the header authentication means judges that a result of the algorithm operation performed on the header area of the data does not match the header authentication data.
8. An authentication method executed in an authentication device that receives data having a data structure of claim 1 and performs authentication on the data, comprising the steps of:
performing, by the authentication device, an algorithm operation on the header area with the use of a first algorithm, which is employed in the algorithm operation in creating the header area, and judging whether a result of the algorithm operation matches the header authentication data or not; and
performing, by the authentication device, an algorithm operation on the data area and the header authentication data area with the use of a second algorithm that is identified from a second algorithm information contained in the header area, and judging whether a result of the algorithm operation matches the authentication data or not.
9. A computer program for causing a given computer to function as an authentication device that receives data having a data structure of claim 1 and performs authentication on the data, wherein the computer is caused to function as:
a header authentication means for performing an algorithm operation on the header area with the use of a first algorithm, which is employed in the algorithm operation in creating the header area, and judging whether a result of the algorithm operation matches the header authentication data or not; and
an authentication means for performing an algorithm operation on the data area and the header authentication data area with the use of a second algorithm that is identified from the second algorithm information contained in the header area, and judging whether a result of the algorithm operation matches the authentication data or not.
10. A recording medium in which a computer program according to claim 9 is recorded.
11. A data structure of data to be communicated in a communication, comprising:
a data area for containing digital information that is a substantial object of the communication;
a header area attached to the data area at a head of the data to be communicated;
a header authentication data area for containing header authentication data used for authentication of the header area; and
an authentication data area for containing authentication data used for authentication of the data area,
wherein the header area contains a second algorithm information that is information for identifying an algorithm for a given algorithm operation that is performed to authenticate the data area using the authentication data.
12. The data structure according to claim 11, wherein the header area contain information about a data length of the data area.
13. The data structure according to claim 1, wherein the header area contains a first algorithm information that is information for identifying an algorithm for a given algorithm operation that is performed to authenticate the header area using the header authentication data.
14. The data structure according to claim 5, wherein the header authentication data area is placed immediately behind the header area.
15. An authentication device that receives data having a data structure of claim 2 and performs authentication on the data, comprising:
a header authentication means for performing an algorithm operation on the header area with the use of a first algorithm, which is employed in the algorithm operation in creating the header area, and judging whether a result of the algorithm operation matches the header authentication data or not; and
an authentication means for performing an algorithm operation on the data area with the use of a second algorithm that is identified from the second algorithm information contained in the header area, and judging whether a result of the algorithm operation matches the authentication data or not
16. The authentication device according to claim 15, wherein the authentication means does not carry out the algorithm operation when the header authentication means judges that a result of the algorithm operation performed on the header area based on the first algorithm does not match the header authentication data.
17. The authentication device according to claim 15,
wherein, in a case where the header authentication data area is placed immediately behind the header area,
the header authentication means starts the algorithm operation as soon as the header area and the header authentication data area are received, and
wherein the authentication device further comprises means for performing processing of discontinuing reception of data after the header authentication means judges that a result of the algorithm operation performed on the header area of the data does not match the header authentication data.
18. An authentication method executed in an authentication device that receives data having a data structure of claim 2 and performs authentication on the data, comprising the steps of:
performing, by the authentication device, an algorithm operation on the header area with the use of a first algorithm, which is employed in the algorithm operation in creating the header area, and judging whether a result of the algorithm operation matches the header authentication data or not; and
performing, by the authentication device, an algorithm operation on the data area with the use of a second algorithm that is identified from the second algorithm information contained in the header area, and judging whether a result of the algorithm operation matches the authentication data or not.
19. A computer program for causing a given computer to function as an authentication device that receives data having a data structure of claim 1 and performs authentication on the data, wherein the computer is caused to function as:
a header authentication means for performing an algorithm operation on the header area with the use of a first algorithm, which is employed in the algorithm operation in creating the header area, and judging whether a result of the algorithm operation matches the header authentication data or not; and
an authentication means for performing an algorithm operation on the data area with the use of a second algorithm that is identified from the second algorithm information contained in the header area, and judging whether a result of the algorithm operation matches the authentication data or not.
20. A recording medium in which a computer program according to claim 1 is recorded.
21. A data processing device for processing data that has a data area for containing digital information as a substantial object of a communication, comprising:
means for creating data of a header area attached to the data area at a head of the data to be communicated;
means for creating data of a header authentication data area based on data that is contained in the header area and a first algorithm with which a given algorithm operation is performed on this data, the header authentication data area data being used for authentication of the header area;
means for creating authentication data used for authentication of the data area and the header authentication data area, based on data that is contained in the data area and the header authentication data area and a second algorithm with which a given algorithm operation is performed on this data; and
integrating means for integrating the digital information, the header area data, the header authentication data, and the authentication data to constitute the data area, the header area, the header authentication data area, and the authentication data area, respectively, with the header area placed at a head of the integrated data,
wherein the means for creating data of the header area makes the header area data contain a second algorithm information that is information for identifying the second algorithm.
22. The data processing device according to claim 21, wherein the integrating means places the header authentication data area immediately behind the header area.
23. The data processing device according to claim 21, wherein the means for creating data of the header area creates the header area data in a specific size.
24. A data processing device for processing data that has a data area for containing digital information as a substantial object of a communication, comprising:
means for creating data of a header area attached to the data area at a head of the data to be communicated;
means for creating data of a header authentication data area based on data that is contained in the header area and a first algorithm with which a given algorithm operation is performed on this data, the header authentication data area data being used for authentication of the header area;
means for creating authentication data used for authentication of the data area, based on data that is contained in the data area and a second algorithm with which a given algorithm operation is performed on this data; and
integrating means for integrating the digital information, the header area data, the header authentication data, and the authentication data to constitute the data area, the header area, the header authentication data area, and the authentication data area, respectively, with the header area placed at a head of the integrated data,
wherein the means for creating data of the header area makes the header area data contain a second algorithm information that is information for identifying the second algorithm.
25. The data processing device according to claim 24, wherein the integrating means places the header authentication data area immediately behind the header area.
26. The data processing device according to claim 24, wherein the means for creating data of the header area creates the header area data in a specific size.
27. A data processing method executed in a data processing device for processing data that has a data area for containing digital information as a substantial object of a communication, comprising the steps of:
creating, by the data processing device, data of a header area attached to the data area at a head of the data to be communicated;
creating, by the data processing device, data of a header authentication data area based on data that is contained in the header area and a first algorithm with which a given algorithm operation is performed on this data, the header authentication data area data being used for authentication of the header area;
creating, by the data processing device, authentication data used for authentication of the data area and the header authentication data area, based on data that is contained in the data area and the header authentication data area and a second algorithm with which a given algorithm operation is performed on this data; and
integrating, by the data processing device, the digital information, the header area data, the header authentication data, and the authentication data to constitute the data area, the header area, the header authentication data area, and the authentication data area, respectively, with the header area placed at a head of the integrated data,
wherein, in the step of creating data of the header area, a second algorithm information that is information for identifying the second algorithm is contained in the header area data.
28. A data processing method executed in a data processing device for processing data that has a data area for containing digital information as a substantial object of a communication, comprising the steps of:
creating, by the data processing device, data of a header area attached to the data area at a head of the data to be communicated;
creating, by the data processing device, data of a header authentication data area based on data that is contained in the header area and a first algorithm with which a given algorithm operation is performed on this data, the header authentication data area data being used for authentication of the header area;
creating, by the data processing device, authentication data used for authentication of the data area, based on data that is contained in the data area and a second algorithm with which a given algorithm operation is performed on this data; and
integrating, by the data processing device, the digital information, the header area data, the header authentication data, and the authentication data to constitute the data area, the header area, the header authentication data area, and the authentication data area, respectively, with the header area placed at a head of the integrated data,
wherein, in the step of creating data of the header area, a second algorithm information that is information for identifying the second algorithm is contained in the header area data.
29. A computer program for causing a computer to function as a data processing device for processing data that has a data area for containing digital information as a substantial object of a communication,
wherein the computer is caused to function as:
means for creating data of a header area attached to the data area at a head of the data to be communicated;
means for creating data of a header authentication data area based on data that is contained in the header area and a first algorithm with which a given algorithm operation is performed on this data, the header authentication data area data being used for authentication of the header area;
means for creating authentication data used for authentication of the data area, based on data that is contained in the data area and a second algorithm with which a given algorithm operation is performed on this data; and
integrating means for integrating the digital information, the header area data, the header authentication data, and the authentication data to constitute the data area, the header area, the header authentication data area, and the authentication data area, respectively, with a header area placed at the head of the integrated data, and
wherein the means for creating data of the header area makes the header area data contain a second algorithm information that is information for identifying the second algorithm.
30. A recording medium in which a computer program according to claim 29 is recorded.
31. A computer program for causing a computer to function as a data processing device for processing data that has a data area for containing digital information as a substantial object of a communication,
wherein the computer is caused to function as:
means for creating data of a header area attached to the data area at a head of the data to be communicated;
means for creating data of a header authentication data area based on data that is contained in the header area and a first algorithm with which a given algorithm operation is performed on this data, the header authentication data area data being used for authentication of the header area;
means for creating authentication data used for authentication of the data area, based on data that is contained in the data area and a second algorithm with which a given algorithm operation is performed on this data; and
integrating means for integrating the digital information, the header area data, the header authentication data, and the authentication data to constitute the data area, the header area, the header authentication data area, and the authentication data area, respectively, with a header area placed at the head of the integrated data, and
wherein the means for creating data of the header area makes the header area data contain a second algorithm information that is information for identifying the second algorithm.
32. A recording medium in which a computer program according to claim 31 is recorded.
US11/596,022 2004-05-10 2005-03-23 Authentication device and method Expired - Fee Related US8205075B2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
JP2004140483A JP4749680B2 (en) 2004-05-10 2004-05-10 Data structure, data processing apparatus, data processing method, authentication apparatus, authentication method, computer program, and recording medium
JP2004-140483 2004-05-10
PCT/JP2005/005997 WO2005109746A1 (en) 2004-05-10 2005-03-23 Authentication system and method

Publications (2)

Publication Number Publication Date
US20070294535A1 true US20070294535A1 (en) 2007-12-20
US8205075B2 US8205075B2 (en) 2012-06-19

Family

ID=35320553

Family Applications (1)

Application Number Title Priority Date Filing Date
US11/596,022 Expired - Fee Related US8205075B2 (en) 2004-05-10 2005-03-23 Authentication device and method

Country Status (6)

Country Link
US (1) US8205075B2 (en)
EP (1) EP1746761A4 (en)
JP (1) JP4749680B2 (en)
KR (1) KR100924884B1 (en)
CN (1) CN1965525B (en)
WO (1) WO2005109746A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4460011B2 (en) 2008-05-27 2010-05-12 国立大学法人広島大学 Moving image distribution system, moving image distribution method, server in moving image distribution system, and user terminal in moving image distribution system

Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6108583A (en) * 1997-10-28 2000-08-22 Georgia Tech Research Corporation Adaptive data security system and method
US20020002676A1 (en) * 2000-06-29 2002-01-03 Yusuke Kawasaki Contents check method, contents renewal method and processing apparatus
US20020169971A1 (en) * 2000-01-21 2002-11-14 Tomoyuki Asano Data authentication system
US6516412B2 (en) * 1995-04-03 2003-02-04 Scientific-Atlanta, Inc. Authorization of services in a conditional access system
US6560340B1 (en) * 1995-04-03 2003-05-06 Scientific-Atlanta, Inc. Method and apparatus for geographically limiting service in a conditional access system
US20030182574A1 (en) * 2002-03-19 2003-09-25 Whitten Jon Marcus Randall Secure digital data format and code enforced policy
US20040103202A1 (en) * 2001-12-12 2004-05-27 Secretseal Inc. System and method for providing distributed access control to secured items
US20040123109A1 (en) * 2002-09-16 2004-06-24 Samsung Electronics Co., Ltd. Method of managing metadata
US20040139339A1 (en) * 2002-11-26 2004-07-15 Matsushita Electric Industrial Co., Ltd. Data encryption and decryption method and apparatus
US20040143734A1 (en) * 2002-12-05 2004-07-22 Buer Mark L. Data path security processing
US20040162980A1 (en) * 2001-05-23 2004-08-19 Laurent Lesenne Security devices and processes for protecting and identifying messages
US20040193876A1 (en) * 2003-03-27 2004-09-30 Donley Christopher J. Method to authenticate packet payloads
US20050152538A1 (en) * 2004-01-08 2005-07-14 Encryption Solutions, Inc. Method of encrypting and transmitting data and system for transmitting encrypted data
US7296148B2 (en) * 2002-01-09 2007-11-13 Nec Corporation Communication system and network control apparatus with encryption processing function, and communication control method
US7434052B1 (en) * 1999-02-16 2008-10-07 Fraunhofer-Gesellschaft Zur Foerderung Der Angewandten Forschung E.V. Method and device for producing an encrypted payload data stream and method and device for decrypting an encrypted payload data stream
US7624263B1 (en) * 2004-09-21 2009-11-24 Advanced Micro Devices, Inc. Security association table lookup architecture and method of operation

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001223735A (en) 2000-02-09 2001-08-17 Fuji Xerox Co Ltd Data communication device and recording medium
JP4311899B2 (en) * 2001-03-02 2009-08-12 パナソニック株式会社 Method and apparatus for content distribution and protection

Patent Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6516412B2 (en) * 1995-04-03 2003-02-04 Scientific-Atlanta, Inc. Authorization of services in a conditional access system
US6560340B1 (en) * 1995-04-03 2003-05-06 Scientific-Atlanta, Inc. Method and apparatus for geographically limiting service in a conditional access system
US6108583A (en) * 1997-10-28 2000-08-22 Georgia Tech Research Corporation Adaptive data security system and method
US7434052B1 (en) * 1999-02-16 2008-10-07 Fraunhofer-Gesellschaft Zur Foerderung Der Angewandten Forschung E.V. Method and device for producing an encrypted payload data stream and method and device for decrypting an encrypted payload data stream
US20020169971A1 (en) * 2000-01-21 2002-11-14 Tomoyuki Asano Data authentication system
US7373506B2 (en) * 2000-01-21 2008-05-13 Sony Corporation Data authentication system
US20020002676A1 (en) * 2000-06-29 2002-01-03 Yusuke Kawasaki Contents check method, contents renewal method and processing apparatus
US20040162980A1 (en) * 2001-05-23 2004-08-19 Laurent Lesenne Security devices and processes for protecting and identifying messages
US20040103202A1 (en) * 2001-12-12 2004-05-27 Secretseal Inc. System and method for providing distributed access control to secured items
US7783765B2 (en) * 2001-12-12 2010-08-24 Hildebrand Hal S System and method for providing distributed access control to secured documents
US7296148B2 (en) * 2002-01-09 2007-11-13 Nec Corporation Communication system and network control apparatus with encryption processing function, and communication control method
US7627753B2 (en) * 2002-03-19 2009-12-01 Microsoft Corporation Secure digital data format and code enforced policy
US20030182574A1 (en) * 2002-03-19 2003-09-25 Whitten Jon Marcus Randall Secure digital data format and code enforced policy
US20040123109A1 (en) * 2002-09-16 2004-06-24 Samsung Electronics Co., Ltd. Method of managing metadata
US20040139339A1 (en) * 2002-11-26 2004-07-15 Matsushita Electric Industrial Co., Ltd. Data encryption and decryption method and apparatus
US20040143734A1 (en) * 2002-12-05 2004-07-22 Buer Mark L. Data path security processing
US20040193876A1 (en) * 2003-03-27 2004-09-30 Donley Christopher J. Method to authenticate packet payloads
US20050152538A1 (en) * 2004-01-08 2005-07-14 Encryption Solutions, Inc. Method of encrypting and transmitting data and system for transmitting encrypted data
US7624263B1 (en) * 2004-09-21 2009-11-24 Advanced Micro Devices, Inc. Security association table lookup architecture and method of operation

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Schwartz et al., "Smart packets: applying active networks to network management", ACM Transactions on Computer Systems (TOCS), Volume 18 Issue 1, Feb. 2000. *

Also Published As

Publication number Publication date
JP2005323215A (en) 2005-11-17
WO2005109746A1 (en) 2005-11-17
KR20070022079A (en) 2007-02-23
CN1965525A (en) 2007-05-16
US8205075B2 (en) 2012-06-19
JP4749680B2 (en) 2011-08-17
KR100924884B1 (en) 2009-11-02
EP1746761A1 (en) 2007-01-24
CN1965525B (en) 2010-05-05
EP1746761A4 (en) 2011-06-15

Similar Documents

Publication Publication Date Title
US7224477B2 (en) Printer and printing system capable of high secret printing
CN101582901B (en) Information processing apparatus and control method thereof
US7574475B2 (en) Work flow system and client in work flow system
US20020124167A1 (en) Encrypted mail transmission system
CN111010363B (en) Information authentication method and system, authentication module and user terminal
CN113515766A (en) File transmission method and device
US7536550B2 (en) Image forming apparatus and control method for same
CN109831782B (en) Safety transmission verification method for electronic card information
EP2565813B1 (en) Key pair management method and image forming device
US8081761B2 (en) Communication encryption processing apparatus
US8205075B2 (en) Authentication device and method
CN113162885B (en) Safety protection method and device for industrial control system
CN103119559A (en) Information generation system and method therefor
CN109063461B (en) Third-party password-free login method and system
US7449989B2 (en) Computerised identity matching management
CN109194490B (en) Power distribution network communication security authentication system and method
JP2005065035A (en) Substitute person authentication system using ic card
US20050108528A1 (en) Computer network and method for transmitting and authenticating data in the computer network
KR100799560B1 (en) Method of securing mobile RFID, mobile RFID reader, server and system for the same
CN114884736B (en) Safety protection method and device for explosion attack prevention
US20050125658A1 (en) Information processing apparatus
EP1746798A1 (en) A personal token for reliable GBA-U authentication
RU2481632C1 (en) System and method of recovering password and encrypted data on mobile devices
JP2003044342A (en) Data leakage prevention system, its input/output terminal and data transmitting method in internet communication
CN117765631A (en) Bluetooth list display method, device, equipment and storage medium

Legal Events

Date Code Title Description
AS Assignment

Owner name: SONY COMPUTER ENTERTAINMENT INC., JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:MORIAI, SHIHO;SHIMADA, MUNEKI;SHIBUTANI, KYOJI;REEL/FRAME:019551/0492;SIGNING DATES FROM 20070612 TO 20070613

Owner name: SONY CORPORATION, JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:MORIAI, SHIHO;SHIMADA, MUNEKI;SHIBUTANI, KYOJI;REEL/FRAME:019551/0492;SIGNING DATES FROM 20070612 TO 20070613

Owner name: SONY CORPORATION, JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:MORIAI, SHIHO;SHIMADA, MUNEKI;SHIBUTANI, KYOJI;SIGNING DATES FROM 20070612 TO 20070613;REEL/FRAME:019551/0492

Owner name: SONY COMPUTER ENTERTAINMENT INC., JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:MORIAI, SHIHO;SHIMADA, MUNEKI;SHIBUTANI, KYOJI;SIGNING DATES FROM 20070612 TO 20070613;REEL/FRAME:019551/0492

AS Assignment

Owner name: SONY NETWORK ENTERTAINMENT PLATFORM INC., JAPAN

Free format text: CHANGE OF NAME;ASSIGNOR:SONY COMPUTER ENTERTAINMENT INC.;REEL/FRAME:027444/0452

Effective date: 20100401

AS Assignment

Owner name: SONY COMPUTER ENTERTAINMENT INC., JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SONY NETWORK ENTERTAINMENT PLATFORM INC.;REEL/FRAME:027446/0443

Effective date: 20100401

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

REMI Maintenance fee reminder mailed
LAPS Lapse for failure to pay maintenance fees
STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20160619